Settlement system, user terminal and method executed thereby, settlement device and method executed thereby, and program

ABSTRACT

A settlement system with higher security which replaces a settlement system using credit cards is provided. The settlement system has a user terminal, a settlement device, and a settlement terminal. First, a user ID, a password, and upper limit amount information identifying an amount are inputted in a user terminal  100  (S 912 ), and sent to the settlement device (S 913 ). The settlement device performs credit determination (S 922 ), generates temporary permission information if credit is possible (S 923 ), and sends the temporary permission information to the user terminal (S 924 ). The user terminal generates a one-time password (S 915 ). The one-time password is inputted to the settlement terminal (S 931 ). If the one-time password sent from the settlement terminal to the settlement device is identical to the one-time password created in the settlement device, the settlement device allows a user&#39;s payment (S 928 ).

TECHNICAL FIELD

The present invention relates to a settlement system.

BACKGROUND ART

For example, credit card settlements are widely used for payment atstores, eating places and the like, as well as payment for buying andselling goods on the Internet. Such settlements (payment of money) arenow performed via the Internet or other networks.

More specifically, the credit card settlements are performed as follows.

For a currently popular credit card, when a user performs the paymentwith the credit card, data read with a card reader or the like of abrick-and-mortar store if the user has used the credit card at thebrick-and-mortar store, or data sent by the user to a virtual store onthe web, for example, through encrypted communication, if the user hasused the credit card at the virtual store, is sent from thebrick-and-mortar store or the virtual store, via the network such as theInternet, to a settlement device that is a computer of a credit cardcompany (or a computer managed by the credit card company). In thesettlement device, an approach is generally employed in which it isdetermined whether or not credit is possible for the user, based on thereceived data, and the settlement is performed if the credit has beensuccessful. While such credit is intended to mitigate risks taken by thecredit card company, the computer of the credit card company attempts tomitigate risks due to fraudulent use of the credit card throughimpersonation by a third party, also by performing user authentication(for example, authentication by seeing legitimacy of a combination of acredit card number and a name of a credit card holder) prior toperforming the credit. The authentication for the user as above isbasically performed with the credit card number and the credit cardholder which are physically imprinted or electromagnetically recordedinformation on the credit card.

SUMMARY OF INVENTION Technical Problem

As mentioned above, only one fixed credit card number on the credit cardexists for one credit card. Accordingly, complete elimination of theimpersonation by the third party is difficult in the authentication withthe credit card number.

In addition to a case where the credit card itself has been stolen by amalicious third party, if the credit card number has leaked as data, forexample, from a database having recorded credit card numbers ofcustomers for the settlement device or the like, the malicious thirdparty can easily impersonate an owner of the credit card.

Various contrivances have been provided for the purpose of increasingprecision of the user authentication to thereby reduce the fraudulentuse of the credit card through the impersonation by the third party. Ifthe credit card is used at the brick-and-mortar store, one of thecontrivances is, of course, to essentially have the user's signature.Moreover, recently, various technologies such as CVC (Card VerificationCode) and CVC2 are also actually used. However, these technologiesmerely increase the precision of the authentication by using aseveral-digit number other than the credit card number, with the creditcard number in the authentication. Since the several-digit number usedwith the credit card number is constantly fixed similarly to the creditcard number, these technologies only have an effect like that obtainedby somewhat increasing the number of digits of the credit card number,and the effect of increasing the precision of the user authentication isalso highly restricted.

An object of the invention of the present application is to propose anovel settlement technology which replaces a settlement technology usingcredit cards, and in which fraud through the impersonation by the thirdparty is unlikely to occur.

Solution to Problem

In order to achieve this object, the inventor of the present applicationproposes the invention as described below.

The invention of the present application is a settlement systemconfigured to include a user terminal used by a user, comprising userterminal input means that accepts input of information, user terminaltransmission and reception means that performs transmission andreception of data via a predetermined network, and user terminalinformation processing means that performs information processing; asettlement device that performs settlement of the user's payment,comprising settlement device transmission and reception means thatperforms transmission and reception of the data via the network, andsettlement device information processing means that performs informationprocessing, and a recording medium that records at least virtual balanceinformation for each user so as to be associated with each user; and asettlement terminal managed by a recipient of the payment from the user,comprising settlement terminal input means that accepts the input of theinformation, and settlement terminal transmission and reception meansthat performs transmission and reception of the data via the network,wherein each of the user terminal, the settlement device, and thesettlement terminal is capable of connecting to the network.

The user terminal in this settlement system is capable of inputtingupper limit amount information that is information identifying an amountof an upper limit of the settlement, and amount information that isinformation identifying an amount to be settled, with the user terminalinput means, and transmits the upper limit amount information and userinformation that is information identifying the user who performs thepayment of the amount identified by the upper limit amount information,to the settlement device via the network with the user terminaltransmission and reception means; and moreover, the user terminalinformation processing means comprises a user terminal OTP generationunit that generates a one-time password.

Moreover, the settlement device in the settlement system receives theupper limit amount information and the user information from the userterminal with the settlement device transmission and reception means;the settlement device information processing means comprises a creditdetermination unit that, if the settlement device transmission andreception means has received the upper limit amount information and theuser information, executes credit determination that is determination ofwhether or not the settlement of the payment of the amount identified bythe upper limit amount information sent from the user terminal ispossible, and if it is determined in the credit determination that thesettlement is possible, generates temporary permission information thatis information indicating the determination; the settlement deviceinformation processing means also comprises a final determination unitthat performs final determination of the settlement, and a settlementdevice OTP generation unit that generates the one-time passwordidentical to the one-time password which is generated in the userterminal if the temporary permission information has been generated; andthe settlement device transmission and reception means transmits thetemporary permission information generated by the credit determinationunit to the user terminal via the network; and moreover, in therecording medium, the one-time password and the upper limit amountinformation are recorded so as to be associated with each other suchthat the upper limit amount information becomes the virtual balanceinformation, the upper limit amount information having been used forgenerating the temporary permission information that has caused thegeneration of the one-time password in the settlement device OTPgeneration unit.

In addition, in this settlement system, when the temporary permissioninformation is accepted from the settlement device by the user terminalat the user terminal transmission and reception means, the user terminalOTP generation unit generates the one-time password; and if the one-timepassword generated in the user terminal and the amount information havebeen inputted from the settlement terminal input means of the settlementterminal, and the settlement terminal has sent the one-time passwordfrom the settlement terminal transmission and reception means to thesettlement device via the network, the virtual balance informationassociated with a one-time password identical to the one-time passwordreceived from the settlement terminal by the settlement device is readout from the recording medium, and also on a condition that the amountidentified by the amount information received from the settlementterminal is equal to or less than an amount identified by the virtualbalance information, the final determination unit of the settlementdevice permits the payment from the user of the user terminal to anadministrator of the settlement terminal with the one-time password, andalso subtracts the amount used for the payment, from the virtual balanceinformation recorded so as to be associated with the one-time passwordused for the payment in the recording medium.

In an illustration for the purpose of helping general understanding ofthe invention of the present application, the user terminal in thesettlement system of the invention of the present application is used,managed, etc. by the user, and corresponds to a credit card in aconventional settlement system using credit cards. The settlement deviceof the invention of the present application corresponds to a settlementdevice managed, etc. by a credit card company or the like in a creditcard settlement system. Moreover, the settlement terminal of theinvention of the present application corresponds to a device having acard reader placed at a brick-and-mortar store in the credit cardsettlement system, or if the settlement system is applied to thesettlement at a virtual store on the Internet, the settlement terminalof the invention of the present application corresponds to a computeritself used by the user, or a computer managed by an administrator ofthe virtual store, which receives the one-time password from thecomputer used by the user, or a combination thereof. However, the aboveillustration is merely an illustration, and may also be not necessarilyaccurate since the invention of the present application may also be atotally new settlement system.

The user terminal of the invention of the present application is acomputer, for example, a portable computer, and is a mobile phone, asmartphone, a tablet or the like. It is now very common also forordinary people to carry around such equipment. The user utilizes suchequipment as the user terminal, and thus does not need to carry aroundthe credit card that is bulky. In this settlement system, if the userterminal corresponds to the credit card in the conventional settlementsystem, the one-time password generated in the user terminal in thissettlement system corresponds to the credit card number in theconventional settlement system. For the one-time password, differentone-time passwords are generated one after another as is well known.Accordingly, even if the one-time password has been stolen by amalicious third party, it is difficult to abuse such a so-calleddisposable one-time password, and in addition, as will be describedlater, when an expiration time of the one-time password has been definedto be much shorter than the expiration time of an ordinary credit card(for example, within several months or several weeks, within on theorder of several days to several tens of minutes, possibly on the orderof 10 minutes, which, however, may be longer than this), such abusebecomes almost impossible. In other words, in this settlement system,the one-time password that is valid only at that time is used instead ofthe credit card number, and thereby the impersonation by the maliciousthird party is prevented.

Meanwhile, the settlement system according to the invention of thepresent application has a further advantage. In the conventionalsettlement system using the credit cards, it is widely known that aperson stealing and abusing the credit card number may be a person in aposition of being informed of the credit card number by the user, suchas those who operate or manage a credit card reader. In other words, inthe credit card settlement system, a person handling the credit cardnumber himself may structurally become the malicious third party, andcomplete elimination thereof is impossible. In case of the abuse of thecredit card number performed by such a person, the credit card companyor the like that issues the credit cards performs credit management fora person operating or managing the credit card reader (or organizationof corporation to which they belongs), and increases or decreases a feein the case of the payment with the credit card, depending on the degreeof his credit, and the like, which are very burdensome. However,according to the settlement system of the invention of the presentapplication in which the abuse of the credit card number by the thirdparty can hardly be assumed, the above credit management performed bythe credit card company or the like is not required. In the above creditmanagement, a person even without the credit, who is judged to beimbalanced with risks taken by the credit card company or the like,regardless of how much the fee is increased, is precluded from thecredit management performed by the credit card company or the like, andcannot receive the payment with the credit card. This is reality todaywith popularization of the credit card settlement system. Unnecessarycredit management for the recipient of the payment from the user in thesettlement system using the credit cards, in which the credit cardnumber is received from the user, means that the number of recipients ofthe payment from the user can be increased more than a conventionalcase, according to the settlement system of the invention of the presentapplication. This naturally is a great advantage.

A general flow of processing in this settlement system is as follows.

First, the user inputs the upper limit amount information that is theinformation identifying the upper limit amount to be settled, with theuser terminal input means. The upper limit amount information istransmitted from the user terminal to the settlement device, along withthe user information that is the information identifying the user whoperforms the settlement according to the upper limit amount information.

This settlement device uses the user information and the upper limitamount information to perform user authentication and credit judgmentwith the credit determination unit. The user authentication performedhere is performed with the user information. The user information mayinclude, for example, at least one of a user ID inputted by the userwith the user terminal input means, and unique terminal informationallocated to each user terminal that is the user terminal, or mayinclude both of them. Since the user ID is, for example, an enumerationof numbers, characters, symbols and the like decided by the user, and isbasically only known to a legitimate user, even if the user terminal isstolen by the third party, the impersonation by the third party may behighly likely to be prevented. Examples of the terminal information caninclude, in the case where the user terminal is a smartphone, an IDnumber recorded in a SIM card (Subscriber Identity Module Card)incorporated in this smartphone, and an individual identification numbersuch as a manufacturing number of the smartphone. If the terminalinformation is used for the user authentication, the impersonation bythe malicious third party becomes likely to be prevented, unless theuser terminal itself is stolen by the malicious third party. Of course,when both the user ID and the terminal information are used for the userauthentication, the user authentication becomes precise, and theimpersonation can also be prevented with a high possibility.

The credit determination itself performed in the credit determinationunit can be performed similarly to the credit determination in the caseof using the conventional credit card. If it is determined in the creditdetermination that the settlement can be performed, the temporarypermission information indicating the determination is sent from thesettlement device to the user terminal. However, depending on thismethod of executing the credit determination, the settlement system ofthe present application may be close to the settlement system with thecredit cards or may be close to a settlement system with debit cards.This point will be described later.

In the user terminal, which has received the temporary permissioninformation, the one-time password is generated in its user terminal OTPgeneration unit. The one-time password can be an enumeration of numbers,characters, symbols and the like, and is generated at least each timethe user is authenticated by the settlement device, and also becomesdifferent for each generation. Moreover, the sets of the one-timepasswords generated in each user terminal are different if all theone-time passwords generated multiple number of times in each of userterminal are seen. The one-time password can be generated, for example,with a publicly known approach. The one-time password generated in theuser terminal is passed to the settlement terminal with the settlementterminal input means of the settlement terminal.

The user terminal typically includes a display. The one-time passwordgenerated in the user terminal OTP generation unit is displayed, forexample, on the display. If the one-time password is an enumeration ofnumbers, a numeric keypad or the like is provided as the settlementterminal input means, and thereby, the user or the administrator of thesettlement terminal can operate the numeric keypad or the like to inputthe one-time password displayed on the display, to the settlementterminal. If the one-time password is a combination of numbers andcharacters, and the settlement terminal input means is a keyboard, theuser or the administrator of the settlement terminal can operate thekeyboard to input the one-time password displayed on the display, to thesettlement terminal. A method of passing the one-time password to thesettlement terminal is not limited thereto. For example, the one-timepassword can also be passed to the settlement terminal by taking animage of the display of the user terminal having the one-time passworddisplayed thereon, with a camera as the settlement terminal input means,and inputting the one-time password displayed on the display to thesettlement terminal through image processing, or by reading the one-timepassword displayed as a bar code on the display of the user terminal,with a bar-code reader as the settlement terminal input means.Alternatively, the one-time password can also be passed as data from theuser terminal to the settlement terminal through wireless communicationsuch as Bluetooth™ or infrared communication (of course, wiredcommunication may be used but is somewhat inconvenient.). It should benoted that, in this case, the one-time password is not necessarilyrequired to be displayed on the display of the user terminal.

If the user performs the payment to the virtual store on the Internet,the user will input the one-time password to the user terminal, or toanother terminal that is used by the user and is capable ofcommunicating via the Internet. For the input in this case, while thenumeric keypad or the keyboard included in the user terminal or theother terminal is typically used, it is self-evident that the camera,the bar-code reader, or the wireless communication may also be utilizedin this input, similarly to the above-mentioned case.

Moreover, the amount information that is the information identifying theamount to be settled is passed from the user terminal to the settlementterminal. In the case of the brick-and-mortar store, one of specificexamples thereof is that the user orally tells the amount to be paidwith the one-time password at the brick-and-mortar store, to theadministrator of the settlement terminal, and the administrator of thesettlement terminal inputs the amount to the settlement terminal withthe settlement terminal input means. Alternatively, the user may alsosend or input the amount information, which has been inputted to theuser terminal by the user with the user terminal input means, to thesettlement terminal with the camera or the bar-code reader, orwirelessly. In this case, the one-time password and the amountinformation may conveniently be sent or inputted collectively from theuser terminal to the settlement terminal. In contrast, in the case ofthe virtual store, while the numeric keypad or the keyboard included inthe user terminal or the other terminal is used in order for the user topass the amount information to the virtual store, it may be self-evidentthat the camera, the bar-code reader, or the wireless communication mayalso be utilized in this input, similarly to the above-mentioned case.

In any case, the one-time password and the amount information passedfrom the user terminal to the settlement terminal are sent from thesettlement terminal to the settlement device.

Meanwhile, the settlement device has the settlement device OTPgeneration unit. The settlement device OTP generation unit generates aone-time password identical to the one-time password which is generatedin the user terminal. The settlement device OTP generation unitgenerates the one-time password at an appropriate timing that is thesame time as the generation of the temporary permission information orlater. Regarding the one-time password generated in the settlementdevice OTP generation unit, the one-time password and the upper limitamount information are recorded so as to be associated with each othersuch that the upper limit amount information becomes the virtual balanceinformation, in the recording medium, the upper limit amount informationhaving been used for generating the temporary permission informationthat has caused the generation of the one-time password in thesettlement device OTP generation unit.

As is publicly known, the one-time password generated in the userterminal OTP generation unit and the one-time password generated in thesettlement device OTP generation unit are synchronized. The settlementdevice performs settlements of many user terminals, so that thesettlement device can generate the one-time password that issynchronized with the one-time password generated in the user terminalOTP generation unit of each user terminal.

When the one-time password is received from the settlement terminal, thefinal determination unit performs the final determination in thesettlement device. The final determination is determination of whetheror not the payment of the amount identified by the amount information,from the user to the administrator of the settlement terminal or thelike, may be allowed. When the settlement device receives the one-timepassword and the amount information from the settlement terminal, thevirtual balance information associated with the one-time passwordidentical to the one-time password sent from the settlement terminal isread out from the recording medium, and on the condition that the amountidentified by the amount information received from the settlementterminal is equal to or less than the amount identified by the virtualbalance information, the final determination unit allows theabove-mentioned payment. If the final determination unit has allowed thepayment, the final determination unit subtracts the amount used for thepayment, from the virtual balance information recorded so as to beassociated with the one-time password used for the payment in therecording medium. The processing performed in the settlement deviceafter the payment is permitted may, for example, be similar to the caseof the settlement system using the credit cards or the debit cards.

According to this settlement system, as mentioned above, finalpermission of the settlement performed in the settlement device isperformed with the one-time password generated in the user terminal.

The one-time password used in the user terminal will be generated overand over again to be changed. Accordingly, even when the one-timepassword has been stolen by the third party, damage is unlikely to occurtherefrom, and even if the damage occurs, the damage is much smallerthan the case of the settlement system using the credit cards.

In the invention of the present application, the user can use oneone-time password to perform multiple payments within a range of theupper limit amount. When the user performs the payment, the user sendsthe one-time password and the amount information to the settlementdevice via the settlement terminal. Unless a sum of the amountsidentified by the amount information exceeds the upper limit amount, thesettlement device allows the payment from the user to the administratorof the settlement terminal, and subtracts the amount used for thepayment, from the virtual balance in each case.

Moreover, even in a case where the one-time password has been generatedonce in the user terminal, and a one-time password identical to theone-time password has also been generated once in the settlement device,for example, if a balance has existed in virtual balance informationwhen the expiration time of the one-time password has expired, thesettlement device can also set the balance back to the user's creditbalance or account balance at a bank or the like. Thereby, the user canlightheartedly use the user terminal to issue the one-time password.

It should be noted that, in the invention of the present application,the administrator of the settlement terminal is not limited to a personwho manages the settlement terminal, but includes all of persons whoinstall, own, take sole possession of or occupy, or manage and operatethe settlement terminal, as well as the recipient of the payment fromthe user, and in any case, the administrator of the settlement terminalmeans an organization itself that receives the payment from the user, ora person who belongs to this organization or is at least associated withthe organization.

Moreover, in the settlement system of the invention of the presentapplication, communication between the settlement device and the userterminal and communication between the settlement device and thesettlement terminal may be encrypted communication.

It should be noted that, if the other party to which the user performsthe payment with the settlement system of the present application isspecifically a brick-and-mortar store, and if the user is assumed toperform the payment to the other party after a certain amount of timeelapses (for example, after several hours or several months elapse)since the generation of the one-time password with the user terminal,the one-time password generated in the user terminal may also beconveniently printed on paper. While the one-time password in theinvention of the present application is data (or simple information)without physical substance, the one-time password has a property inwhich the data or the information can be used to perform the payment tothe third party. If this property is emphasized more, the one-timepassword generated in the user terminal in the settlement system of thepresent application can be considered as an alternative to money. Inconsideration of a trend with FinTech-related technologies raised astopics in recent years, while money may eventually lose its substance,at least the ordinary people in a current state are familiar with moneyhaving the physical substance. The user can use a cash voucher that ispaper having the one-time password printed thereon, as if it were money(paper money), to thereby perform the payment to the other party of thepayment. In other words, this cash voucher can be said to be one ofvariations for delivering the one-time password from the user terminalto the settlement terminal. The recipient of the payment, who hasreceived this cash voucher, can input the one-time password printedthereon to the settlement terminal through some method, for example, byusing the numeric keypad or the keyboard to perform the input.

However, if this cash voucher has been dropped by the user or stolen bythe third party, the cash voucher may be used by the third party,similarly to when conventional paper money has been dropped by the useror stolen by the third party. Nonetheless, since the cash voucher has anexpiration time for use depending on a usable period provided for theone-time password, a risk of being used by the malicious third party canbe said to be smaller than the conventional money. However, as anotherkind of problem, this cash voucher has a risk in that, if the one-timepassword printed thereon has been known to the third party, the one-timepassword is used by the third party while the cash voucher itself existsat hand of the user, and thus monetary value, which has been originallyincluded in the cash voucher or the one-time password printed on thecash voucher, may be lost. It is the risk that is not caused in theconventional paper money. It is difficult for the user still having thecash voucher at hand to know that the one-time password printed on thecash voucher has been stolen by the third party, and thus, even if thisproblem has occurred, it is difficult to find and solve the problem.Accordingly, as a technology for preventing occurrence of such asituation, the inventor of the present application proposes a cashvoucher having a part of the one-time password printed on one side ofthe paper, and a rest part of the one-time password printed on anotherside of the paper, respectively. With this cash voucher, if themalicious third party has attempted to steal the one-time passwordprinted on the cash voucher, the malicious third party needs to see (ortake pictures of) both sides of the cash voucher, and thus a possibilityof the one-time password being stolen becomes much lower than a case ofthe one-time password printed only on one side of the paper.

Moreover, the inventor of the present application also proposes a cashvoucher made by printing information for identifying the one-timepassword generated in the user terminal in the settlement system of thepresent application, on paper, as one aspect of the invention of thepresent application. This cash voucher can also be used by the user inan aspect similar to existing traditional money. The information foridentifying the one-time password is, for example, a bar code. The otherparty, which has received this cash voucher from the user and shouldreceive the payment from the user, can read and input the information(for example, the bar code) to the settlement terminal to thereby inputthe one-time password generated in the user terminal to the settlementterminal. This can also be said to be one of the variations fordelivering the one-time password from the user terminal to thesettlement terminal. As in a case of printing the one-time passworditself on the cash voucher, information for identifying a part of theone-time password may be printed on one side of the paper, andinformation for identifying a rest part of the one-time password may beprinted on another side of the paper, respectively.

Moreover, a face of a person scheduled to use the cash voucher may beprinted on the paper constituting the above cash voucher. If a personwho should receive the payment from the user has received the cashvoucher, matching of the face printed on the cash voucher and the faceof the user who has held out the cash voucher is checked, and ifprocessing required for the settlement with the cash voucher (forexample, the input of the one-time password described on the cashvoucher, to the settlement terminal) is to be performed only when thecheck has been successful, fraudulent use of the one-time password (afraudulent settlement) can be prevented even in the case where the cashvoucher has been dropped or stolen by the third party.

In this settlement system, if the user has the one-time password issuedin the user terminal, the user can use the one-time password to performthe payment of the amount identified by the amount information, with theupper limit of the upper limit amount set when the one-time password hasbeen issued, and possibly, the payment may be split into multiple numberof times. In other words, the user can present the amount information tothe other party to thereby provide an indication of intention ofperforming the payment of the amount identified by the amountinformation, and can also present the one-time password to the otherparty to thereby perform the payment of the amount identified by theamount information.

This is possible because, when the one-time password has been generatedin the user terminal, the credit has already been finished for the upperlimit amount identified by the upper limit amount information indicatedto the settlement device by the user when the one-time password has beenissued. In that sense, the one-time password generated in the userterminal can also be regarded as a temporary credit card number with adefined upper limit of a payable amount.

Moreover, specifically, when the one-time password and the amountinformation are sent from the settlement terminal to the settlementdevice, if identity of the user who has generated the one-time passwordin the user's own user terminal and has sent the one-time password fromthe settlement terminal is not checked in the settlement device, thisone-time password can be used by anyone. In this case, the one-timepassword becomes transferable, and a person who has been transferred theone-time password can use it. In this case, the one-time passwordgenerated in the user terminal can be regarded as virtual currency thatcan be used for the payment with the upper limit of the amountidentified by the upper limit amount information. It should be notedthat since the virtual currency in this case has been given the creditbased on the user's trust, reception of money by the person who has beentransferred the one-time password, for example, via the settlementdevice, is generally ensured. In this sense, if the one-time password inthe invention of the present application is regarded as the virtualcurrency, this one-time password has higher reliability thanconventional virtual currency.

This one-time password is convenient since the user can be enabled togenerate the one-time password at the user's preferable timing when theuser needs to perform the payment. Moreover, even if the user hasgenerated the one-time password, the user does not need to use it soon,and can separately use it several times according to the user's wishwhen the user needs to use it, which is also convenient. Moreover, whenthe user generates the one-time password, the user can set the upperlimit amount of the amount that can be paid with the one-time password,by himself. Thus, the user can prevent wasteful spending as long as thegenerated one-time password is used to perform the payment, and also,even if the one-time password has been stolen, an amount of economicdamage thereof will be limited to the upper limit amount set for theone-time password. All of them are advantages of the invention of thepresent application.

For example, when the user goes on an overseas trip, the user cangenerate the one-time password for covering the payments during theoverseas trip, with the user's own user terminal, and go on the overseastrip with the one-time password instead of cash or the credit card.Moreover, when the user has intended to go for shopping at a shoppingmall, if the user generates the one-time password with the upper limitamount depending on a budget for the shopping on that day, and utilizesthe one-time password to perform the payment for the shopping on thatday, the user can stay within the budget during the shopping. Moreover,if the one-time password is transferable, for example, a father can alsogenerate multiple one-time passwords in his own user terminal, and givethem to his children, respectively, for example, as their spendingmoney. In this case, of course, different upper limits can also be setto the amounts that can be paid with the respective one-time passwords,which can create a state similar to a state where different amounts ofspending money have been given to the respective children.

The inventor of the present application also proposes the user terminalused in the settlement system as described above, as one aspect of theinvention of the present application. An effect thereby obtained is thesame as the effect obtained in the above-mentioned settlement system.

An example user terminal is a user terminal for constituting asettlement system which has the user terminal, a settlement device, anda settlement terminal configured to include the user terminal used by auser, comprising user terminal input means that accepts input ofinformation, user terminal transmission and reception means thatperforms transmission and reception of data via a predetermined network,and user terminal information processing means that performs informationprocessing; the settlement device that performs settlement of the user'spayment, comprising settlement device transmission and reception meansthat performs transmission and reception of the data via the network,settlement device information processing means that performs informationprocessing, and a recording medium that records at least virtual balanceinformation for each user so as to be associated with each user; and thesettlement terminal managed by a recipient of the payment from the user,comprising settlement terminal input means that accepts the input of theinformation, and settlement terminal transmission and reception meansthat performs transmission and reception of the data via the network,wherein each of the user terminal, the settlement device, and thesettlement terminal is capable of connecting to the network.

In this user terminal, upper limit amount information that isinformation identifying an amount of an upper limit of the settlement,and amount information that is information identifying an amount to besettled are capable of being inputted with the user terminal inputmeans; the upper limit amount information and user information that isinformation identifying the user who performs the payment of the amountidentified by the upper limit amount information are transmitted to thesettlement device via the network with the user terminal transmissionand reception means; and moreover, the user terminal informationprocessing means comprises a user terminal OTP generation unit thatgenerates a one-time password.

The settlement device receives the upper limit amount information andthe user information from the user terminal with the settlement devicetransmission and reception means; the settlement device informationprocessing means comprises a credit determination unit that, if thesettlement device transmission and reception means has received theupper limit amount information and the user information, executes creditdetermination that is determination of whether or not the settlement ofthe payment of the amount identified by the upper limit amountinformation for the user identified by the user information is possible,and if it is determined in the credit determination that the settlementis possible, generates temporary permission information that isinformation indicating the determination; the settlement deviceinformation processing means also comprises a final determination unitthat performs final determination of the settlement, and a settlementdevice OTP generation unit that generates a one-time password identicalto the one-time password which is generated in the user terminal if thetemporary permission information has been generated; the settlementdevice transmission and reception means transmits the temporarypermission information generated by the credit determination unit to theuser terminal via the network; and moreover, in the recording medium,the one-time password and the upper limit amount information arerecorded so as to be associated with each other such that the upperlimit amount information becomes the virtual balance information, theupper limit amount information having been used for generating thetemporary permission information that has caused the generation of theone-time password in the settlement device OTP generation unit.

In addition, in this settlement system, when the temporary permissioninformation is accepted from the settlement device by the user terminalat the user terminal transmission and reception means, the user terminalOTP generation unit generates the one-time password; and thereby, if theone-time password generated in the user terminal and the amountinformation have been inputted from the settlement terminal input meansof the settlement terminal, and the settlement terminal has sent theone-time password and the amount information from the settlementterminal transmission and reception means to the settlement device viathe network, the virtual balance information associated with a one-timepassword identical to the one-time password received from the settlementterminal by the settlement device is read out from the recording medium,and also on a condition that the amount identified by the amountinformation received from the settlement terminal is equal to or lessthan an amount identified by the virtual balance information, the finaldetermination unit of the settlement device permits the payment from theuser of the user terminal to an administrator of the settlement terminalwith the one-time password, and also subtracts the amount used for thepayment, from the virtual balance information recorded so as to beassociated with the one-time password used for the payment in therecording medium.

The final determination unit included in the settlement device in thesettlement system of the invention of the present application may permitthe settlement only if a time from a predetermined time point after theuser starts processing for inputting the upper limit amount informationwith the user terminal input means and before the final determinationunit performs the final determination of the settlement, until the finaldetermination unit performs the final determination of the settlement,is shorter than a predefined time interval.

This, in short, provides the expiration time for the one-time passwordgenerated in the user terminal. Thereby, the one-time password in thesettlement system according to the invention of the present applicationbecomes less likely to be fraudulently used.

The predetermined time point is a predetermined time point after theuser starts the processing for inputting the upper limit amountinformation with the user terminal input means and before the finaldetermination unit performs the final determination of the settlement,as mentioned above. “When the user has started the processing forinputting the upper limit amount information with the user terminalinput means” means when the user has started some processing requiredfor starting the input of the upper limit amount information, instead ofwhen the user has started the input of the upper limit amountinformation itself. For example, if software necessary for thissettlement needs to be launched in the user terminal in order to inputthe upper limit amount information, this time means when processingthereof has been performed.

The predetermined time point is, for example, a time point when the userhas inputted the upper limit amount information that is the informationidentifying the amount of the upper limit of the settlement, with theuser terminal input means (for example, a time point when the user hasstarted the input, or has finished the input); a time point when theuser terminal transmission and reception means has transmitted the upperlimit amount information and the user information to the settlementdevice via the network; a time point when the settlement devicetransmission and reception means has received the upper limit amountinformation and the user information from the user terminal transmissionand reception means; a time point when the credit determination unit ofthe settlement device has generated the temporary permissioninformation; a time point when the temporary permission information hasbeen transmitted from the settlement device transmission and receptionmeans of the settlement device; and a time point when the temporarypermission information has been received at the user terminaltransmission and reception means of the user terminal.

The settlement device can process virtual balances unused for payments,in virtual balances associated with expired one-time passwords, asunused virtual balances. For example, the settlement device can refrainfrom charging a financial institution for parts of the virtual balanceswhich are unused for the payments, or as will be described later, if thesettlement device manages the user's deposit balance (for example,corresponding to a case where the user performs the payment to theadministrator of the settlement device in a prepaid manner, and thelike.), the settlement device can execute processing of returning thevirtual balances unused for the payments, to the deposit balance.

In the settlement system of the invention of the present application,the user terminal input means may be capable of, with an operationthereof, inputting an additional condition that is a condition added inorder for the final determination unit of the settlement device topermit the payment from the user of the user terminal to theadministrator of the settlement terminal, and the user terminaltransmission and reception means may send the additional condition tothe settlement device via the network, and when the settlement devicetransmission and reception means accepts the additional condition, thefinal determination unit may add a condition for permitting the paymentfrom the user of the user terminal to the administrator of thesettlement terminal, depending on the additional condition.

In this way, the user can set conditions regarding the payment performedwith the one-time password generated in the user terminal, based on theuser's wish.

Examples of the additional condition are as follows.

The additional condition may be a restriction of a period in which thepayment is permitted. As mentioned above, for the one-time password inthe settlement system of the present application, the period in whichthe payment is permitted, and which is defined on the side of thesettlement device, more precisely, determined by the final determinationunit of the settlement device, may be provided. Meanwhile, it is moreconvenient and the one-time password can be less likely to befraudulently used if a shorter time limit of the payment can be set, ora starting point and an ending point of a time in which the payment canbe performed can be set on the side of the user terminal. If the periodin which the payment is permitted, and which is determined by the finaldetermination unit of the settlement device, does not exist, a largerbenefit is provided from the user terminal capable of restricting theperiod in which the payment with the one-time password is permitted.

The additional condition may be a restriction of a position of thesettlement terminal that receives the payment. For example, if thepayment is allowed only for settlement terminals that exist in one areaor exist close to the user terminal, among the settlement terminals, theuser can perform the payment with the one-time password to the user'sdesired store or the like, with a lower possibility of the fraudulentuse of the one-time password.

When the additional condition is a restriction of a position of thesettlement terminal that receives the payment, the user terminal in thesettlement system of the invention of the present application comprisesposition information generation means that generates positioninformation that is information for identifying a position where theuser terminal exists, and the user terminal transmission and receptionmeans may transmit the position information to the settlement device. Inthis case, only if a position of the settlement terminal that has sentthe one-time password from the user terminal with the settlementterminal transmission and reception means thereof is within apredetermined distance from the position identified by the positioninformation generated in the position information generation means ofthe user terminal, the final determination unit of the settlement devicemay permit the payment from the user of the user terminal to theadministrator of the settlement terminal with the one-time password.This settlement system is particularly useful in the case where thesettlement terminal exists in the brick-and-mortar store, but is notlimited thereto. In this settlement system, unless the user terminal andthe position of the settlement terminal to which the one-time passwordis passed from the user terminal are within the predetermined distance,the final determination unit of the settlement device does not performthe permission of the settlement. Thereby, fear of the impersonationperformed by the third party can further be reduced.

A timing of the transmission of the position information from the userterminal to the settlement device can be decided separately from atiming of the transmission of the upper limit amount information and theuser ID to the settlement device. For example, the user terminaltransmission and reception means may transmit the position informationalong with the upper limit amount information and the user informationto the settlement device. Alternatively, at a predetermined timing afterthe user terminal has received the temporary permission information, theuser terminal may send the position information to the settlementdevice.

The position information generation means is, for example, a GPS (GlobalPositioning System). Since functions of the GPS have typically alreadybeen integrated in the smartphone or the like as an example of the userterminal, use of the GPS as the position information generation means isless burdensome as far as hardware is concerned.

As mentioned above, the final determination unit determines whether ornot the position of the settlement terminal that has sent the one-timepassword from the user terminal is within the predetermined distancefrom the position identified by the position information on the userterminal. In order to perform this determination, the finaldetermination unit needs to know the position of the settlementterminal. In order to enable it, there are some approaches as follows.

The first one of the approaches is that the settlement device haspreviously grasped the position of the settlement terminal that may sendthe one-time password to the settlement device. For example, if thesettlement device has a database in which a settlement terminal ID foridentifying each settlement terminal and the position of each settlementterminal are linked and recorded, the settlement device can grasp whichsettlement terminal the one-time password has been sent from, to therebygrasp the position of the settlement terminal that has sent the one-timepassword.

The second one of the approaches is that the settlement terminal hasbeen caused to have position information generation means similar to theposition information generation means included in the user terminal, andthe position information on the settlement terminal is sent from thesettlement terminal to the settlement device each time the settlementterminal sends the one-time password to the settlement device(regardless of whether or not the position information on the settlementterminal is sent at the same time as the sending of the one-timepassword). Thereby, the settlement device can also grasp the position ofthe settlement terminal that has sent the one-time password.

The additional condition may be a restriction of the settlement terminalthat receives the payment. For example, if the settlement terminals thatreceive the payment are restricted only to settlement terminals thatexist within one shopping mall, or to settlement terminals managed by anenterprise belonging to one enterprise group, the user can perform thepayment with the one-time password to the user's desired store or thelike, with the lower possibility of the fraudulent use of the one-timepassword.

The user terminal input means may be capable of inputting an upper limitamount identified by the upper limit amount information as a sum ofsplit amounts that are two or more amounts; and if the user terminal OTPgeneration unit generates the one-time password, the user terminal OTPgeneration unit may generate as many one-time passwords as a number ofpieces of split amount information that is information identifying thesplit amounts, corresponding to the respective pieces of the splitamount information.

In this case, if the settlement device OTP generation unit in thesettlement device generates the one-time password identical to theone-time password which is generated in the user terminal, thesettlement device OTP generation unit may generate as many one-timepasswords identical to those generated in the user terminal, as thenumber of pieces of the split amount information, corresponding to therespective pieces of the split amount information; and in the recordingmedium, the one-time passwords and the split amount information made tocorrespond to the one-time passwords may be recorded so as to beassociated with each other such that each piece of the upper limitamount information becomes the virtual balance information.

If the one-time password made to correspond to one piece of the splitamount information generated in the user terminal and the amountinformation have been inputted from the settlement terminal input meansof the settlement terminal, and the settlement terminal has sent theone-time password and the amount information from the settlementterminal transmission and reception means to the settlement device viathe network, the virtual balance information associated with theone-time password identical to the one-time password received from thesettlement terminal by the settlement device may be read out from therecording medium, and also on the condition that the amount identifiedby the amount information received from the settlement terminal is equalto or less than the amount identified by the virtual balanceinformation, the final determination unit of the settlement device maypermit the payment from the user of the user terminal to theadministrator of the settlement terminal with the one-time password, andalso subtract the amount used for the payment, from the virtual balanceinformation recorded so as to be associated with the one-time passwordused for the payment in the recording medium.

In the settlement system of the invention of the present application,multiple one-time passwords may be generated from one user terminal.Moreover, all of the multiple one-time passwords generated from one userterminal may be valid, in other words, may be in a state of beingcapable of being used for the payments. If the multiple one-timepasswords are generated, the user may also be caused to perform aprocedure of generating the one-time password, including the input ofthe upper limit amount information, multiple times, which, however, willplace a burden on the user. For example, if the user hopes to have threeone-time passwords with the upper limit amount of 10000 yen, the user iscaused to input three 10000 yen as the split amount information, and asa result, caused to input the upper limit amount information for 30000yen, and thereby, the user can collectively obtain three one-timepasswords with the upper limit amount of 10000 yen. The respective splitamounts are not required to be the same. For example, if the user causesthe settlement device to perform the credit determination with therespective split amounts of one 10000 yen+two 5000 yen+ten 1000 yen, andwith the upper limit amount of 30000 yen as a sum of them, of course, ona condition that the temporary permission information is generated inthe credit determination, the user will collectively obtain one one-timepassword with the upper limit amount of 10000 yen, two one-timepasswords with the upper limit amount of 5000 yen, and ten one-timepasswords with the upper limit amount of 1000 yen.

In this case, the settlement device allocates virtual balances with thesplit amounts as the upper limit amounts, to the multiple one-timepasswords, respectively, and records them in the recording medium.Handling of the respective virtual balances may be the same as the casewhere only one one-time password is generated at a time.

The split amount information may be selected from predefined splitamount information with an operation of the user terminal input means.For example, in the above-mentioned example, 10000 yen, 5000 yen, and1000 yen have previously been prepared as selectable split amounts suchthat the user is caused to select how to combine them.

The inventor of the present application also proposes the followingmethod executed by the user terminal, as one aspect of the invention ofthe present application. An effect thereby obtained is the same as theeffect obtained in the above-mentioned settlement system.

An example of the method is a method executed by user terminalinformation processing means included in a user terminal forconstituting a settlement system which has the user terminal, asettlement device, and a settlement terminal configured to include theuser terminal used by a user, comprising user terminal input means thataccepts input of information, user terminal transmission and receptionmeans that performs transmission and reception of data via apredetermined network, and the user terminal information processingmeans that performs information processing; the settlement device thatperforms settlement of the user's payment, comprising settlement devicetransmission and reception means that performs transmission andreception of the data via the network, and settlement device informationprocessing means that performs information processing, and a recordingmedium that records at least virtual balance information for each userso as to be associated with each user; and the settlement terminalmanaged by a recipient of the payment from the user, comprisingsettlement terminal input means that accepts the input of theinformation, and settlement terminal transmission and reception meansthat performs transmission and reception of the data via the network,wherein each of the user terminal, the settlement device, and thesettlement terminal is capable of connecting to the network.

This method is executed by the user terminal information processingmeans.

Specifically, this method includes a process of accepting input of upperlimit amount information that is information identifying an upper limitamount to be settled, with the user terminal input means; a process oftransmitting the upper limit amount information and user informationthat is information identifying the user who performs the payment of theupper limit amount identified by the upper limit amount information, tothe settlement device via the network with the user terminaltransmission and reception means; a process of, if, in the settlementdevice that has received the upper limit amount information and the userinformation from the user terminal with the settlement devicetransmission and reception means, the settlement device informationprocessing means has executed credit determination that is determinationof whether or not the settlement of the payment of the amount identifiedby the upper limit amount information sent from the user terminal ispossible, and in a case where it has been determined in the creditdetermination that the settlement is possible, the settlement deviceinformation processing means has generated temporary permissioninformation that is information indicating the determination, and hasalso generated a one-time password in a case where the temporarypermission information has been generated, and moreover, in therecording medium, the one-time password and the upper limit amountinformation are recorded so as to be associated with each other suchthat the upper limit amount information becomes the virtual balanceinformation, the upper limit amount information having been used forgenerating the temporary permission information that has caused thegeneration of the one-time password, and the settlement devicetransmission and reception means has transmitted the temporarypermission information to the user terminal via the network, acceptingthe temporary permission information by the user terminal transmissionand reception means; and a process of, if the temporary permissioninformation has been accepted from the settlement device by the userterminal, generating a one-time password identical to the one-timepassword which is generated in the settlement device. The processes areexecuted by the user terminal information processing means.

Thereby, in this settlement system, if the one-time password generatedin the user terminal and amount information that is informationidentifying an amount to be settled have been inputted from thesettlement terminal input means of the settlement terminal, and thesettlement terminal has sent the one-time password from the settlementterminal transmission and reception means to the settlement device viathe network, the virtual balance information associated with a one-timepassword identical to the one-time password received from the settlementterminal by the settlement device is read out from the recording medium,and moreover, on a condition that the amount identified by the amountinformation received from the settlement terminal is equal to or lessthan an amount identified by the virtual balance information, thesettlement device information processing means of the settlement devicepermits the payment from the user of the user terminal to anadministrator of the settlement terminal with the one-time password, andalso subtracts the amount used for the payment, from the virtual balanceinformation recorded so as to be associated with the one-time passwordused for the payment in the recording medium.

The inventor of the present application also proposes a computer programfor causing a predetermined computer to function as the user terminalincluded in the settlement system of the invention of the presentapplication, as one aspect of the invention of the present application.An effect thereby obtained is the same as the effect obtained in theabove-mentioned settlement system.

An example of the computer program is a computer program for causing acomputer to function as a user terminal for constituting a settlementsystem which has the user terminal, a settlement device, and asettlement terminal configured to include the user terminal used by auser, comprising user terminal input means that accepts input ofinformation, user terminal transmission and reception means thatperforms transmission and reception of data via a predetermined network,and user terminal information processing means that performs informationprocessing; the settlement device that performs settlement of the user'spayment, comprising settlement device transmission and reception meansthat performs transmission and reception of the data via the network,and settlement device information processing means that performsinformation processing, and a recording medium that records at leastvirtual balance information for each user so as to be associated witheach user; and the settlement terminal managed by a recipient of thepayment from the user, comprising settlement terminal input means thataccepts the input of the information, and settlement terminaltransmission and reception means that performs transmission andreception of the data via the network, wherein each of the userterminal, the settlement device, and the settlement terminal is capableof connecting to the network.

In addition, this computer program causes the computer to execute aprocess of accepting input of upper limit amount information that isinformation identifying an upper limit amount to be settled, with theuser terminal input means; a process of transmitting the upper limitamount information and user information that is information identifyingthe user who performs the payment of the upper limit amount identifiedby upper limit the amount information, to the settlement device via thenetwork with the user terminal transmission and reception means; aprocess of, if, in the settlement device that has received the upperlimit amount information and the user information from the user terminalwith the settlement device transmission and reception means, thesettlement device information processing means has executed creditdetermination that is determination of whether or not the settlement ofthe payment of the amount identified by the upper limit amountinformation sent from the user terminal is possible, and in a case whereit has been determined in the credit determination that the settlementis possible, the settlement device information processing means hasgenerated temporary permission information that is informationindicating the determination, and has also generated a one-time passwordin a case where the temporary permission information has been generated,and moreover, in the recording medium, the one-time password and theupper limit amount information are recorded so as to be associated witheach other such that the upper limit amount information becomes thevirtual balance information, the upper limit amount information havingbeen used for generating the temporary permission information that hascaused the generation of the one-time password, and the settlementdevice transmission and reception means has transmitted the temporarypermission information to the user terminal via the network, acceptingthe temporary permission information by the user terminal transmissionand reception means; and a process of, if the temporary permissioninformation has been accepted from the settlement device by the userterminal, generating a one-time password identical to the one-timepassword which is generated in the settlement device.

Thereby, in this settlement system, if the one-time password generatedin the user terminal and amount information that is informationidentifying an amount to be settled have been inputted from thesettlement terminal input means of the settlement terminal, and thesettlement terminal has sent the one-time password from the settlementterminal transmission and reception means to the settlement device viathe network, the virtual balance information associated with a one-timepassword identical to the one-time password received from the settlementterminal by the settlement device is read out from the recording medium,and moreover, on a condition that the amount identified by the amountinformation received from the settlement terminal is equal to or lessthan an amount identified by the virtual balance information, thesettlement device information processing means of the settlement devicepermits the payment from the user of the user terminal to anadministrator of the settlement terminal with the one-time password, andalso subtracts the amount used for the payment, from the virtual balanceinformation recorded so as to be associated with the one-time passwordused for the payment in the recording medium.

The inventor of the present application also proposes the settlementdevice used in the settlement system as described above, as one aspectof the invention of the present application. An effect thereby obtainedis the same as the effect obtained in the above-mentioned settlementsystem.

An example of the settlement device is a settlement device forconstituting a settlement system which has a user terminal, thesettlement device, and a settlement terminal configured to include theuser terminal used by a user, comprising user terminal input means thataccepts input of information, user terminal transmission and receptionmeans that performs transmission and reception of data via apredetermined network, and user terminal information processing meansthat performs information processing; the settlement device thatperforms settlement of the user's payment, comprising settlement devicetransmission and reception means that performs transmission andreception of the data via the network, and settlement device informationprocessing means that performs information processing, and a recordingmedium that records at least virtual balance information for each userso as to be associated with each user; and the settlement terminalmanaged by a recipient of the payment from the user, comprisingsettlement terminal input means that accepts the input of theinformation, and settlement terminal transmission and reception meansthat performs transmission and reception of the data via the network,wherein each of the user terminal, the settlement device, and thesettlement terminal is capable of connecting to the network.

The user terminal included in the settlement system including thissettlement device is capable of inputting upper limit amount informationthat is information identifying an amount of an upper limit of thesettlement, and amount information that is information identifying anamount to be settled, with the user terminal input means, and transmitsthe upper limit amount information and user information that isinformation identifying the user who performs the payment of the amountidentified by upper limit the amount information, to the settlementdevice via the network with the user terminal transmission and receptionmeans; and moreover, the user terminal information processing meanscomprises a user terminal OTP generation unit that generates a one-timepassword.

In addition, this settlement device receives the upper limit amountinformation and the user information from the user terminal with thesettlement device transmission and reception means; the settlementdevice information processing means comprises a credit determinationunit that, if the settlement device transmission and reception means hasreceived the upper limit amount information and the user information,executes credit determination that is determination of whether or notthe settlement of the payment of the amount identified by the upperlimit amount information sent from the user terminal is possible, and ifit is determined in the credit determination that the settlement ispossible, generates temporary permission information that is informationindicating the determination; the settlement device informationprocessing means also comprises a final determination unit that performsfinal determination of the settlement, and a settlement device OTPgeneration unit that generates the one-time password identical to theone-time password which is generated in the user terminal if thetemporary permission information has been generated; and the settlementdevice transmission and reception means transmits the temporarypermission information generated by the credit determination unit to theuser terminal via the network; and moreover, in the recording medium,the one-time password and the upper limit amount information arerecorded so as to be associated with each other such that the upperlimit amount information becomes the virtual balance information, theupper limit amount information having been used for generating thetemporary permission information that has caused the generation of theone-time password in the settlement device OTP generation unit.

In addition, in this settlement system, when the temporary permissioninformation is accepted from the settlement device by the user terminalat the user terminal transmission and reception means, the user terminalOTP generation unit generates the one-time password; and if the one-timepassword generated and the amount information in the user terminal havebeen inputted from the settlement terminal input means of the settlementterminal, and the settlement terminal has sent the one-time passwordfrom the settlement terminal transmission and reception means to thesettlement device via the network, the virtual balance informationassociated with a one-time password identical to the one-time passwordreceived from the settlement terminal by the settlement device is readout from the recording medium, and also on a condition that the amountidentified by the amount information received from the settlementterminal is equal to or less than an amount identified by the virtualbalance information, the final determination unit of the settlementdevice permits the settlement of the payment from the user of the userterminal to an administrator of the settlement terminal with theone-time password, and also subtracts the amount used for the payment,from the virtual balance information recorded so as to be associatedwith the one-time password used for the payment in the recording medium.

The user terminal input means of the user terminal may be capable ofinputting user terminal cancellation information for identifying andcanceling one of settlements performed in the past with the userterminal, after the final determination unit of the settlement devicehas permitted the settlement, and moreover, the user terminaltransmission and reception means may send the user terminal cancellationinformation to the settlement device via the network. In this case, thesettlement device information processing means of the settlement devicemay comprise cancellation means that, when the user terminalcancellation information has been accepted, cancels the settlementidentified by the user terminal cancellation information.

In this way, the user can cancel the settlement that has already beenallowed, on the user's own will, and for example, correction is enabledwhen there has been an error in the settlement.

A similar effect can also be obtained by the following invention.

The settlement terminal input means of the settlement terminal may becapable of inputting settlement terminal cancellation information foridentifying and canceling one of settlements performed in the past withthe settlement terminal, after the final determination unit of thesettlement device has permitted the settlement, and moreover, thesettlement terminal transmission and reception means may send thesettlement terminal cancellation information to the settlement devicevia the network. In this case, the settlement device informationprocessing means may comprise cancellation means that, when thesettlement terminal cancellation information has been accepted, cancelsthe settlement identified by the settlement terminal cancellationinformation.

In this case, the administrator of the settlement terminal can cancelthe settlement that has already been allowed, on the administrator's ownwill.

The user terminal cancellation information may also be sent from theuser terminal similarly to the above-mentioned case, and the settlementterminal cancellation information may also be sent from the settlementterminal, also similarly to the above-mentioned case, respectively, tothe settlement terminal. In this case, the cancellation means may cancelthe settlement when the user terminal cancellation information and thesettlement terminal cancellation information have been accepted and thesettlements identified by the user terminal cancellation information andthe settlement terminal cancellation information have matched eachother.

In this case, the settlement that has already been allowed can becanceled only if the will of the administrator of the settlementterminal has matched the will of the user having the user terminal.

It should be noted that, in any case of the above three cases, a time inwhich the cancel of the settlement can be allowed can be limited. Forexample, an example is that the cancel of the settlement is enabledwithin 10 minutes since the settlement has been allowed in thesettlement device.

The above function of enabling the cancel of the settlement isparticularly useful in the case as follows. As mentioned above, theone-time password in the invention of the present application, which isused like the credit card number in the conventional credit card, thatis, so-called disposable, and thus a possibility of plagiarism thereofis very low. However, for example, an unknown person may steal a glanceat the one-time password displayed by the user on the display or thelike of the user's own user terminal such as the smartphone, and a thirdparty who has known the one-time password may send the one-timepassword, for example, from a settlement terminal at one store to thesettlement device, before the user uses the one-time password for theuser's own payment, that is, before the user sends the one-time passwordfrom a settlement terminal at another store to the settlement device. Inthe settlement device of the invention of the present application,basically, if the temporary permission information is generated, theauthentication of an authentic user is performed, while if thesettlement is performed with the one-time password sent from thesettlement terminal, it is not necessarily required to check whether ornot the authentic user has passed the one-time password to theadministrator of the settlement terminal. Accordingly, if a maliciousthird party, who has stolen a glance at the one-time password displayedon the user terminal of the legitimate user, has used the one-timepassword before the legitimate user, the settlement device may not beable to find out such fraud.

In order to prevent such fraud, when the final determination unit of thesettlement device has not permitted the settlement, the finaldetermination unit generates non-permission information that identifieswhich settlement has not been permitted and indicates that thesettlement has not been permitted, and sends the non-permissioninformation to the settlement device transmission and reception means;and the settlement device transmission and reception means may transmitthe non-permission information to the settlement terminal via thenetwork. In this case, the settlement terminal that has accepted thenon-permission information may notify an administrator of the settlementterminal of which settlement has not been permitted. In the settlementsystem having the settlement device and the settlement terminal asabove, the administrator of the settlement terminal can know whether ornot the settlement has been successful with the one-time password, whichthe person has received from the user and sent from the settlementterminal to the settlement device, for example, according to contentdisplayed on the display of the settlement terminal based on thenon-permission information. If the administrator of the settlementdevice has, for example, orally informed the user thereof, the user mayoperate the user's own user terminal to cause the user terminal togenerate the above-mentioned user terminal cancellation information, andsend the user terminal cancellation information to the settlementdevice. Thereby, the settlement allowed in the settlement device withthe one-time password fraudulently known to the third party can becanceled.

It should be noted that, in this case, the settlement device maytransmit the non-permission information only to the settlement terminalas the other party. It is because, in the settlement system of theinvention of the present application, the fraudulent use of the one-timepassword by the third party occurs only if the third party has used theone-time password generated by the legitimate user in the user's ownuser terminal, before the legitimate user, and the settlement with theone-time password used by the malicious third party before thelegitimate user is allowed in the settlement device. In other words,even if the one-time password has been used by the malicious thirdparty, the settlement with the one-time password has been successful, interms of whether or not the settlement has been successful, and thus thenon-permission information cannot be sent to the user terminal at all.Accordingly, the settlement device may send the non-permissioninformation only to the settlement terminal. However, in addition tosending the non-permission information to the settlement terminal, thesettlement device may send the non-permission information, orinformation indicating that the identical one-time password has beenused twice (that is, information indicating that the one-time passwordhas been fraudulently used) to the user terminal.

The above processing may simply be processing, by the settlement device,of notifying the settlement terminal, and possibly the user terminal, ofwhether or not the settlement has been successful with the one-timepassword sent from the settlement terminal. If the administrator of thesettlement terminal has known that the settlement has been permitted,according to content of the notification, the administrator of thesettlement terminal may inform the user thereof, that is, of thecompletion of the payment. This is not different at all from the case ofperforming the payment by the user in the settlement system using thecredit card. In contrast, if the administrator of the settlementterminal has known that the settlement has not been permitted, accordingto the content of the notification, the administrator of the settlementterminal may inform the user thereof, and prompt the user to cancel thesettlement and to generate the one-time password again. While this is asomewhat different procedure from the case of performing the payment bythe user in the settlement system using the credit card, this procedureitself further increases certainty of the settlement by the settlementsystem of the present application.

As mentioned above, the credit determination unit of the settlementdevice performs the credit determination of whether or not the user canperform the payment with the upper limit amount identified by the upperlimit amount information sent by the user from the user terminal. Thiscredit determination may be performed based on the user's occupation,place of employment, annual income, asset situation, and the like,similarly to the case of the credit card or the like.

In contrast, more easily, the credit determination may be performed bycomparing the user's deposit balance to the upper limit amount.

In this case, for example, each user's deposit balance may be recordedin the recording medium. In that case, the credit determination unit mayperform the credit determination by determining whether or not theamount identified by the upper limit amount information is equal to orless than the user's deposit balance, and generate the temporarypermission information on a condition that the amount identified by theupper limit amount information is equal to or less than the user'sdeposit balance. When such credit determination is performed, since itis ensured that the user has the deposit equal to larger than the upperlimit amount, that is, the user can perform the payment of the upperlimit amount, there is no possibility of failure to receive moneycorresponding to the payment by a person who has received the paymentwith the one-time password generated in the user terminal.

Moreover, as mentioned above, each user's deposit balance may berecorded in the recording medium. In the settlement device in that case,if the temporary permission information has been generated, the upperlimit amount information that has caused the generation of the temporarypermission information may be subtracted from the deposit balance of theuser who has sent the upper limit amount information that has caused thegeneration of the temporary permission information. This can be employedregardless of whether or not to use the deposit balance in the creditdetermination. If the user's deposit balance is reduced, and forexample, money for the reduction is once moved to an account of theadministrator of the settlement device once, or the like, the one-timepassword issued in the user terminal is put into a state that is notdifferent from a state with security of money of an amount subtractedfrom the user's deposit balance, and can be regarded as the money itselfin a way. This can also be said to be just the same as conversion of apart of the user's deposit balance into virtual currency called“one-time password.”

It should be noted that a state where the user's deposit balance isrecorded in the recording medium of the settlement device is a statewhere the administrator of the settlement device manages at least onedeposit account of the user. Such a state can be realized, for example,if the user has previously paid some money to the administrator of thesettlement device, that is, if a so-called prepaid system has beenemployed. Otherwise, if the administrator of the settlement device is abank or the like that performs deposit management as its business, oralso if the administrator of the settlement device is in cooperationwith the bank or the like, the user's deposit balance may be recorded inthe recording medium of the settlement device.

The inventor of the present application also proposes the followingmethod executed by the settlement device, as one aspect of the inventionof the present application. An effect thereby obtained is the same asthe effect obtained in the above-mentioned settlement system.

An example of the method is a method executed by settlement deviceinformation processing means included in a settlement device forconstituting a settlement system which has a user terminal, thesettlement device, and a settlement terminal configured to include theuser terminal used by a user, comprising user terminal input means thataccepts input of information, user terminal transmission and receptionmeans that performs transmission and reception of data via apredetermined network, and user terminal information processing meansthat performs information processing; the settlement device thatperforms settlement of the user's payment, comprising settlement devicetransmission and reception means that performs transmission andreception of the data via the network, and the settlement deviceinformation processing means that performs information processing, and arecording medium that records at least virtual balance information foreach user so as to be associated with each user; and the settlementterminal managed by a recipient of the payment from the user, comprisingsettlement terminal input means that accepts the input of theinformation, and settlement terminal transmission and reception meansthat performs transmission and reception of the data via the network,wherein each of the user terminal, the settlement device, and thesettlement terminal is capable of connecting to the network.

This method is executed by the settlement device information processingmeans.

Specifically, this method includes, in the settlement device informationprocessing means: a process of, after upper limit amount informationthat is information identifying an amount of an upper limit of thesettlement has been inputted with the user terminal input means in theuser terminal, when the upper limit amount information and userinformation that is information identifying the user who performs thepayment of the amount identified by the upper limit amount informationhave been transmitted to the settlement device via the network with theuser terminal transmission and reception means, receiving the upperlimit amount information and the user information from the user terminalwith the settlement device transmission and reception means; a processof, if the settlement device transmission and reception means hasreceived the upper limit amount information and the user information,executing credit determination that is determination of whether or notthe settlement of the payment of the amount identified by the upperlimit amount information for the user identified by the user informationis possible, and if it is determined in the credit determination thatthe settlement is possible, generating temporary permission informationthat is information indicating the determination; a process ofgenerating a one-time password if the temporary permission informationhas been generated; a process of recording, in the recording medium, theone-time password and upper limit amount information so as to beassociated with each other such that the upper limit amount informationbecomes the virtual balance information, the upper limit amountinformation having been used for generating the temporary permissioninformation that has caused the generation of the one-time password; aprocess of transmitting the generated temporary permission informationto the user terminal via the network, with the settlement devicetransmission and reception means; a process of, if, in the user terminalthat has accepted the temporary permission information at the userterminal transmission and reception means from the settlement device, aone-time password that has been generated by the user terminalinformation processing means and is identical to that generated in thesettlement device, and the amount information have been inputted fromthe settlement terminal input means of the settlement terminal, and thesettlement terminal has sent the one-time password and the amountinformation from the settlement terminal transmission and receptionmeans to the settlement device via the network, receiving the one-timepassword and the amount information at the settlement devicetransmission and reception means; and a process of reading out thevirtual balance information associated with a one-time passwordidentical to the one-time password received from the settlement terminalby the settlement device, from the recording medium, and on a conditionthat the amount identified by the amount information received from thesettlement terminal is equal to or less than an amount identified by thevirtual balance information, settling the payment from the user of theuser terminal to an administrator of the settlement terminal with theone-time password, and also subtracting the amount used for the payment,from the virtual balance information recorded so as to be associatedwith the one-time password used for the payment in the recording medium.

The inventor of the present application also proposes a computer programfor causing a predetermined computer to function as the settlementdevice included in the settlement system of the invention of the presentapplication, as one aspect of the invention of the present application.An effect thereby obtained is the same as the effect obtained in theabove-mentioned settlement system.

An example of the computer program is a computer program for causing acomputer to function as a settlement device for constituting asettlement system which has a user terminal, the settlement device, anda settlement terminal configured to include the user terminal used by auser, comprising user terminal input means that accepts input ofinformation, user terminal transmission and reception means thatperforms transmission and reception of data via a predetermined network,and user terminal information processing means that performs informationprocessing; the settlement device that performs settlement of the user'spayment, comprising settlement device transmission and reception meansthat performs transmission and reception of the data via the network,and settlement device information processing means that performsinformation processing, and a recording medium that records at leastvirtual balance information for each user so as to be associated witheach user; and the settlement terminal managed by a recipient of thepayment from the user, comprising settlement terminal input means thataccepts the input of the information, and settlement terminaltransmission and reception means that performs transmission andreception of the data via the network, wherein each of the userterminal, the settlement device, and the settlement terminal is capableof connecting to the network.

In addition, this computer program causes the computer to execute aprocess of, after upper limit amount information that is informationidentifying an upper limit amount to be settled has been inputted withthe user terminal input means in the user terminal, when the upper limitamount information and user information that is information identifyingthe user who performs the payment of the upper limit amount identifiedby the upper limit amount information have been transmitted to thesettlement device via the network with the user terminal transmissionand reception means, receiving the upper limit amount information andthe user information from the user terminal with the settlement devicetransmission and reception means; a process of, if the settlement devicetransmission and reception means has received the upper limit amountinformation and the user information, executing credit determinationthat is determination of whether or not the settlement of the payment ofthe amount identified by the amount information for the user identifiedby the user information is possible, and if it is determined in thecredit determination that the settlement is possible, generatingtemporary permission information that is information indicating thedetermination and has also generated a one-time password in a case wherethe temporary permission information has been generated, and moreover,in the recording medium, the one-time password and the upper limitamount information are recorded so as to be associated with each othersuch that the upper limit amount information becomes the virtual balanceinformation, the upper limit amount information having been used forgenerating the temporary permission information that has caused thegeneration of the one-time password; a process of transmitting thegenerated temporary permission information to the user terminal via thenetwork with the settlement device transmission and reception means; aprocess of, if, in the user terminal that has accepted the temporarypermission information at the user terminal transmission and receptionmeans from the settlement device, the one-time password identical to theone-time password which is generated in the settlement device generatedby the user terminal information processing means and the amountinformation have been inputted from the settlement terminal input meansof the settlement terminal, and the settlement terminal has sent theone-time password from the settlement terminal transmission andreception means to the settlement device via the network, the virtualbalance information associated with a one-time password identical to theone-time password received from the settlement terminal by thesettlement device is read out from the recording medium, and moreover,on a condition that the amount identified by the amount informationreceived from the settlement terminal is equal to or less than an amountidentified by the virtual balance information; and a process of, on acondition that the amount identified by the amount information receivedfrom the settlement terminal is equal to or less than an amountidentified by the virtual balance information, settling the payment fromthe user of the user terminal to an administrator of the settlementterminal with the one-time password, and also subtracts the amount usedfor the payment, from the virtual balance information recorded so as tobe associated with the one-time password used for the payment in therecording medium.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 is a diagram illustrating an entire configuration of a settlementsystem according to a first embodiment;

FIG. 2 is a diagram illustrating appearance of a user terminal includedin the settlement system as illustrated in FIG. 1;

FIG. 3 is a diagram illustrating a hardware configuration of the userterminal included in the settlement system as illustrated in FIG. 1;

FIG. 4 is a block diagram illustrating functional blocks generated inthe user terminal included in the settlement system as illustrated inFIG. 1;

FIG. 5 is a diagram illustrating a hardware configuration of asettlement device included in the settlement system as illustrated inFIG. 1;

FIG. 6 is a block diagram illustrating functional blocks generated inthe settlement device included in the settlement system as illustratedin FIG. 1;

FIG. 7 is a diagram illustrating an example of data recorded in a creditinformation recording unit as illustrated in FIG. 6;

FIG. 8 is a diagram illustrating an example of data recorded in asettlement terminal information recording unit as illustrated in FIG. 6;

FIG. 9 is a diagram illustrating an example of data recorded in an OTPinformation recording unit as illustrated in FIG. 6;

FIG. 10 is a diagram illustrating an example of data recorded in avirtual balance recording unit as illustrated in FIG. 6;

FIG. 11 is a diagram illustrating a hardware configuration of asettlement terminal included in the settlement system as illustrated inFIG. 1;

FIG. 12 is a block diagram illustrating functional blocks generated inthe settlement terminal included in the settlement system as illustratedin FIG. 1;

FIG. 13 is a diagram illustrating an example of images displayed on adisplay of the user terminal included in the settlement system asillustrated in FIG. 1;

FIG. 14 is a diagram illustrating another example of the imagesdisplayed on the display of the user terminal included in the settlementsystem as illustrated in FIG. 1;

FIG. 15 is a diagram illustrating another example of the imagesdisplayed on the display of the user terminal included in the settlementsystem as illustrated in FIG. 1;

FIG. 16 is a diagram illustrating another example of the imagesdisplayed on the display of the user terminal included in the settlementsystem as illustrated in FIG. 1;

FIG. 17 is a diagram illustrating another example of the imagesdisplayed on the display of the user terminal included in the settlementsystem as illustrated in FIG. 1;

FIG. 18 is a diagram illustrating another example of the imagesdisplayed on the display of the user terminal included in the settlementsystem as illustrated in FIG. 1;

FIG. 19 is a diagram illustrating an example of images displayed on adisplay of the settlement terminal included in the settlement system asillustrated in FIG. 1;

FIG. 20 is a diagram illustrating a flow of processing executed when asettlement is performed in the settlement system as illustrated in FIG.1;

FIG. 21 is a diagram illustrating an example of the image displayed onthe display of the user terminal when the settlement is canceled in thesettlement system as illustrated in FIG. 1;

FIG. 22 is a diagram illustrating an example of data recorded in acredit information recording unit in a variation;

FIG. 23 is a diagram illustrating an example of a cash voucher used inthe first embodiment; and

FIG. 24 is a diagram illustrating another example of the cash voucherused in the first embodiment.

DESCRIPTION OF EMBODIMENTS

First and second embodiments of the present invention will be describedbelow. In the description of each embodiment and a variation, the samereference characters shall be given to the same objects, and redundantdescription shall be omitted in some cases.

First Embodiment

An entire configuration of a settlement system of the first embodimentis schematically illustrated in FIG. 1.

The settlement system is configured to include multiple user terminals100-1 to 100-N (which may also hereinafter simply be described as “userterminal 100.”), a settlement device 200, and settlement terminals 300-1to 300-n (which may also hereinafter simply be described as “settlementterminal 300.”). These are all connectable to a network 400.

The network 400 is the Internet in this embodiment, but is not limitedthereto.

The user terminal 100 corresponds to a user terminal in the presentapplication, and includes a computer. More specifically, the userterminal 100 in this embodiment is configured with a general-purposepersonal computer. In this embodiment, while the description is providedassuming that each user owns each one user terminal 100, one user mayown multiple user terminals 100. In an example of a settlement systemusing credit cards, it is such a case where one user owns multiplecredit cards. However, for example, through installation of multipledifferent computer programs (this will be described later.) distributedby administrators of different settlement devices 200, in one userterminal 100, or the like, the user can also own only one user terminal100 so that the user can perform settlements at multiple settlementdevices 200, with one user terminal 100. This is a state similar to astate where the user possesses multiple credit cards in a conventionalsettlement system using credit cards. However, according to theinvention of the present application, the user does not need to possessmultiple credit cards that are physically bulky.

A configuration of the user terminal 100 will be described next. Each ofthe user terminals 100-1 to 100-N has the same configuration inconnection with the invention of the present application.

The user terminal 100 is a mobile phone, a smartphone, a tablet, anotebook personal computer, a desktop personal computer, or the like.Among them, particularly, the smartphone or the tablet is preferred tobe used as the user terminal 100, given that the smartphone or thetablet is portable and is suitable for installation of programs to bedescribed later. The smartphone is, for example, iPhone™ that ismanufactured and sold by Apple Japan, Inc. An example of the tablet isiPAD™ that is manufactured and sold by Apple Japan, Inc. Hereinafter,the description continues assuming that the user terminal is thesmartphone, but is not limited thereto.

An example of appearance of the user terminal 100 is illustrated in FIG.2.

The user terminal 100 includes a display 101. The display 101 is fordisplaying still images or moving images, and a publicly known orwell-known display can be used. The display 101 is, for example, aliquid crystal display. The user terminal 100 also includes an inputdevice 102. The input device 102 is for providing desired input to theuser terminal 100 by the user. A publicly known or well-known inputdevice can be used for the input device 102. The input device 102 of theuser terminal 100 in this embodiment is a button-type input device, butis not limited thereto, and a numeric keypad, a keyboard, a trackball, amouse or the like can also be used. Moreover, if the display 101 is atouch panel, the display 101 also has a function of the input device102, which is the case in this embodiment.

A hardware configuration of the user terminal 100 is illustrated in FIG.3.

The hardware includes a CPU (central processing unit) 111, a ROM (readonly memory) 112, a RAM (random access memory) 113, and an interface114, which are interconnected by a bus 116.

The CPU 111 is an operational device that performs operations. The CPU111, for example, executes a computer program recorded in the ROM 112 tothereby execute processing to be described later. It should be notedthat the computer program as used herein includes at least a computerprogram for causing this user terminal 100 to function as the userterminal of the invention of the present application. This computerprogram may have been pre-installed in the user terminal 100, or may beinstalled in an ex-post manner. The installation of this computerprogram in the user terminal 100 may be performed via a predeterminedrecording medium such as a memory card, or may be performed via anetwork such as a LAN or the Internet.

The ROM 112 has recorded the computer program and data required toexecute the processing to be described later by the CPU 111. Thecomputer program recorded in the ROM 112 is not limited thereto, and ifthe user terminal 100 is the smartphone, a computer program and datahave been recorded, for example, for executing telephone calls ore-mails, which are required to cause the user terminal to function asthe smartphone. The user terminal 100 can also browse homepages based ondata received via the network 400, and implements a publicly known webbrowser for enabling the browsing.

The RAM 113 provides a work area required to perform the processing bythe CPU 111.

The interface 114 performs data exchange between the CPU 111, the RAM113 and the like, which are connected via the bus 116, and the outside.The above-mentioned display 101 and the input device 102 are connectedto the interface 114. Operation content inputted from the input device102 is inputted to the bus 116 from the interface 114, and also, imagedata to be described later is outputted to the display 101 from theinterface 114. The interface 114 is also connected to a GPS mechanismand a transmission and reception unit, and illustration of both isomitted.

The GPS mechanism detects a position where the user terminal 100 existson the Earth. The GPS mechanism generates position informationidentifying the detected position of the user terminal 100. The GPSmechanism is publicly known or well-known, and for example, detects theposition of the user terminal 100 by receiving radio waves from ageostationary satellite. The position information is received by theinterface 114.

The transmission and reception unit performs data transmission andreception via the network 400 that is the Internet. While thiscommunication may also be performed in a wired manner, if the userterminal 100 is the smartphone, this communication is wirelesslyperformed. As long as the communication is possible, the transmissionand reception unit may have a publicly known or well-knownconfiguration. The data received by the transmission and reception unitfrom the network 400 is received by the interface 114, and the datapassed from the interface 114 to the transmission and reception unit issent by the transmission and reception unit, via the network 400 to theoutside, for example, to the settlement device 200.

Functional blocks as illustrated in FIG. 4 are generated within the userterminal 100 by executing the computer program by the CPU 111. It shouldbe noted that while the following functional blocks may be generatedwith functions of the above-mentioned computer program alone for causingthe user terminal 100 to function as the user terminal of the inventionof the present application, the following functional blocks may begenerated in cooperation with the above-mentioned computer program andan OS and other computer programs installed in the user terminal 100.

A control unit 120 as follows is generated within the user terminal 100in connection with functions of the invention of the presentapplication, and a main control unit 121, a display control unit 122, adata input/output unit 123, and an OTP generation unit 124 are generatedwithin the control unit 120.

The control unit 120 executes information processing as described below.

The main control unit 121 performs the entire control within the controlunit 120. For example, the main control unit 121 performs control of thedisplay control unit 122 based on data received from the datainput/output unit 123 to be detailed later.

If the main control unit 121 has received temporary permissioninformation to be described later, from the data input/output unit 123to be also described later, the main control unit 121 notifies the OTPgeneration unit 124 thereof. The main control unit 121 also receives auser ID and a password, which will be described later, and possiblyadditional information described later from the data input/output unit123. The user ID, the password and the like are sent from the maincontrol unit 121 to the data input/output unit 123. The main controlunit 121 may also receive user terminal cancellation information to bedescribed later, from the data input/output unit 123. Moreover, the maincontrol unit 121 has integrated recording medium consisting of a memoryor the like, whose illustration is omitted, and has recorded terminalinformation therein. Examples of the terminal information can include,in the case where the user terminal 100 is smartphone, an ID numberrecorded in a SIM card (Subscriber Identity Module Card) incorporated inthis smartphone, and an individual identification number such as amanufacturing number of the smartphone. The main control unit 121 haspreviously obtained at least one of these pieces of terminal informationfrom the user terminal 100. It should be noted that the main controlunit 121 may obtain the terminal information from the user terminal 100each time the user performs processing for payment. In either case, themain control unit 121 sends the user ID and the password as well as theterminal information to the data input/output unit 123 at timings to bedescribed later.

The main control unit 121 also receives a one-time password from the OTPgeneration unit 124. The main control unit 121 sends the receivedone-time password to the data input/output unit 123.

The display control unit 122 performs control of images to be displayedon the display 101 under control of the main control unit 121. Theimages based on data sent from the display control unit 122 aredisplayed on the display 101. The main control unit 121 sends aninstruction on what image should be displayed on the display 101, to thedisplay control unit 122.

The data input/output unit 123 performs data input and output to thecontrol unit 120. Specifically, the data input/output unit 123 receivesthe input from the input device 102. The input from the input device 102to the data input/output unit 123 includes, for example, a settlementstart instruction, the user ID and the password, upper limit amountinformation, the user ID, the password, the additional information, anupper limit amount information transmission instruction, and the userterminal cancellation information. They are sent to the main controlunit 121.

Moreover, the data input/output unit 123 receives, from the transmissionand reception unit, the temporary permission information or the likesent from the settlement device 200 via the network 400, which will bedescribed later. The data input/output unit 123 sends the receivedtemporary permission information or the like to the main control unit121.

Moreover, the data input/output unit 123 receives the positioninformation from the GPS mechanism. The data input/output unit 123 sendsthe received position information to the main control unit 121.

Moreover, the data input/output unit 123 receives, from the main controlunit 121, the user ID, the password, the terminal information, theadditional information, and the upper limit amount information.

The user ID is information for identifying the user, and is anenumeration of a predetermined number of alphanumeric characters in thisembodiment as will be described later, but is not limited thereto. Thepassword is information for further ensuring authentication of the user,and is an enumeration of a predetermined number of alphanumericcharacters in this embodiment as will be described later, but is notlimited thereto. The terminal information is information for identifyingthe user terminal 100, and is also intended to further ensure theauthentication of the user. The terminal information in this embodimentis an enumeration of a predetermined number of numbers as will bedescribed later, but is not limited thereto.

The upper limit amount information is information for identifying anamount for which the user intends to perform the payment to anadministrator of the settlement terminal 300, and is a numberrepresenting the amount in a predetermined unit (yen, dollar, euro, orthe like).

Moreover, to the data input/output unit 123, the position informationand the one-time password are sent from the main control unit 121. Itshould be noted that the position information may be held in the datainput/output unit 123 in a state of being inputted to the datainput/output unit 123 from the GPS mechanism, instead of being returnedfrom the data input/output unit 123 via the main control unit 121 to thedata input/output unit 123. Moreover, the one-time password may bedirectly sent from the OTP generation unit 124 to the data input/outputunit 123 without going through the main control unit 121.

The additional information is information for identifying an additionalcondition that is a condition for restricting the payment with theone-time password generated in the user terminal 100 as will bedescribed later. The additional condition can be selected by the user,and also, the additional condition may not be selected, that is, theadditional condition may not exist. Moreover, the settlement system inthis embodiment may also not originally handle the restriction of thepayment by means of the additional condition. However, the settlementsystem in this embodiment handles the restriction of the payment withthe one-time password, by means of the additional condition. Theadditional condition in this embodiment includes a restriction of a timelimit of permission of the payment, a restriction of a position of thesettlement terminal 300 that receives the payment, and a restriction ofthe settlement terminal 300 that receives the payment.

The user terminal cancellation information is information indicatingindication of intention of the user for cancellation of one of pastsettlements that have already been finished, as will be described later,and is inputted by the user with the input device 102. The user terminalcancellation information includes at least information identifying oneof the past settlements that the user desires to cancel.

The user ID, the password, the terminal information, the additionalinformation, the upper limit amount information, the positioninformation, the user terminal cancellation information and the like aresent at respective appropriate timings to be described later, from thedata input/output unit 123 to the transmission and reception unit, andare sent from the transmission and reception unit to the settlementdevice 200 via the network 400.

If the main control unit 121 has received the temporary permissioninformation, the OTP generation unit 124 is notified thereof by the maincontrol unit 121, as mentioned above. If the OTP generation unit 124 isnotified thereof, the OTP generation unit 124 generates the one-timepassword. For a way of generating the one-time password, it is possibleto follow the conventional art. A specific example of the way ofgenerating the one-time password will be described later.

The settlement device 200 will be described next.

The settlement device 200 is a typical computer. A hardwareconfiguration thereof may be equivalent to that of a settlement devicein the conventional settlement system.

The hardware configuration of the settlement device 200 is illustratedin FIG. 5.

The hardware includes a CPU 211, a ROM 212, a RAM 213, and an interface214, which are interconnected by a bus 216.

The CPU 211 is an operational device that performs operations. The CPU211, for example, executes a computer program recorded in the ROM 212 tothereby execute the processing to be described later. It should be notedthat the computer program as used herein includes at least a computerprogram for causing this settlement device 200 to function as asettlement device of the invention of the present application. Thiscomputer program may have been pre-installed in the settlement device200, or may be installed in an ex-post manner. The installation of thiscomputer program in the settlement device 200 may be performed via thepredetermined recording medium such as the memory card, or may beperformed via the network such as the LAN or the Internet.

The ROM 212 has recorded the computer program and data required toexecute the processing to be described later by the CPU 211. Thecomputer program recorded in the ROM 212 is not limited thereto, and anyother necessary computer programs may be recorded.

The RAM 213 provides a work area required to perform the processing bythe CPU 211.

In addition to the ROM 212 and the RAM 213, another recording medium,for example, an HDD (Hard Disk Drive) or an SSD (Solid State Drive) maynaturally be provided to cause them to cover a part of functions of theROM 212 and the RAM 213.

The interface 214 performs data exchange between the CPU 211, the RAM213 and the like, which are connected via the bus 216, and the outside.The Interface 214 is at least connected to the transmission andreception unit. The data received by the transmission and reception unitfrom the network 400 is received by the interface 214, and the datapassed from the interface 214 to the transmission and reception unit issent by the transmission and reception unit, via the network 400 to theoutside, for example, to the user terminal 100.

Functional blocks as illustrated in FIG. 6 are generated within thesettlement device 200 by executing the computer program by the CPU 211.It should be noted that while the following functional blocks may begenerated with functions of the above-mentioned computer program alonefor causing the settlement device 200 to function as the settlementdevice of the invention of the present application, the followingfunctional blocks may be generated in cooperation with theabove-mentioned computer program and the OS and other computer programsinstalled in the settlement device 200.

A control unit 220 as follows is generated within the settlement device200 in connection with the functions of the invention of the presentapplication. A data input/output unit 221, a main control unit 222, acredit determination unit 223, a credit information recording unit 224,a final determination unit 225, a settlement terminal informationrecording unit 226, an OTP generation unit 227, an OTP informationrecording unit 228, and a virtual balance recording unit 229 aregenerated within the control unit 220.

The data input/output unit 221 performs data input and output to thecontrol unit 220. Specifically, the data input/output unit 221 acceptsvarious data to be described later, from the main control unit 222. Thedata input/output unit 221 passes the various data accepted from themain control unit 222, to the transmission and reception unit, and thetransmission and reception unit sends the data to the user terminal 100or the settlement terminal 300 via the network 400.

The data input/output unit 221 also receives various data to bedescribed later, which has been received by the transmission andreception unit from the user terminal 100 or the settlement terminal 300via the network 400, from the transmission and reception unit, and sendsthe received data to the main control unit 222.

The main control unit 222 performs the entire control within the controlunit 220.

The main control unit 222 may receive the user ID and the password aswell as the terminal information and the upper limit amount informationfrom the data input/output unit 221. If the main control unit 222 hasreceived the user ID and the password as well as the terminalinformation, the main control unit 222 sends them to the creditdetermination unit 223.

The main control unit 222 may receive the additional information sentfrom the user terminal 100. If the main control unit 222 has receivedthis additional information, the main control unit 222 records theadditional information so as to be associated with the one-timepassword, which is associated with the upper limit amount informationsent from the user terminal 100 with the additional information, in thevirtual balance recording unit 229. The main control unit 222 mayreceive the position information sent from the user terminal 100, fromthe data input/output unit 221. If the main control unit 222 hasreceived this position information, and if the one-time passwordassociated with the upper limit amount information, which has been sentfrom the user terminal 100 with the position information, has beencreated later in the OTP generation unit 227, and an additionalcondition of “Close to the user terminal” to be described later has beenadded to the one-time password, the main control unit 222 records theposition information so as to be added to the additional informationidentifying the additional condition, in the virtual balance recordingunit 229.

The main control unit 222 may also receive the temporary permissioninformation to be described later, from the credit determination unit223. If the main control unit 222 has received the temporary permissioninformation, the main control unit 222 sends it to the data input/outputunit 221. If the main control unit 222 has received the temporarypermission information, the main control unit 222 sends an instructionto generate the one-time password for the user who has sent the user IDand the like, which have caused the generation of this temporarypermission information, to the OTP generation unit 227. The main controlunit 222 may also receive settlement application information, theone-time password, the user ID, and the amount information, all of whichhave been sent from the settlement terminal 300 and will be describedlater, from the data input/output unit 221. If the main control unit 222has received the settlement application information, the main controlunit 222 sends them to the final determination unit 225.

The main control unit 222 may also receive the one-time password fromthe OTP generation unit 227. If the main control unit 222 has receivedthe one-time password, the main control unit 222 sends it to the virtualbalance recording unit 229. It should be noted that the one-timepassword is not necessarily required to be sent to the virtual balancerecording unit 229 via the main control unit 222, and for example, mayalso be directly sent from the OTP generation unit 227 to the virtualbalance recording unit 229.

The main control unit 222 may also receive final determination data tobe described later, from the final determination unit 225. If the maincontrol unit 222 has received the final determination data, the maincontrol unit 222 performs settlement processing. The settlementprocessing is processing for allowing the settlement to theadministrator of the settlement terminal 300 that has transmitted thetemporary permission information for asking for payment to a certainuser, from the user. The main control unit 222 in this embodiment holdsdata on what settlement has been performed. For example, the maincontrol unit 222 records information on how much, from whom, and to whomthe payment has finally been permitted, for each user in a recordingmedium that is not illustrated. The settlement processing will bedescribed later.

The main control unit 222 may receive the user terminal cancellationinformation and settlement terminal cancellation information to bedescribed later, from the data input/output unit 221. If the maincontrol unit 222 has received the user terminal cancellation informationand the settlement terminal cancellation information, and if the pastsettlements identified by the user terminal cancellation information andthe settlement terminal cancellation information are identical, the maincontrol unit 222 performs processing for canceling this past settlement.However, this processing of canceling the settlement is not necessarilyessential, and if the processing of canceling the settlement isunnecessary, functions required only for this processing can also bedeleted from the user terminal 100, the settlement device 200, and thesettlement terminal 300. It should be noted that, in this embodiment,the main control unit 222 receives both the user terminal cancellationinformation and the settlement terminal cancellation information to bedescribed later, and cancels the past settlement only if the pastsettlements identified by the user terminal cancellation information andthe settlement terminal cancellation information are identical. Instead,however, the main control unit 222 may cancel the past settlementidentified by the user terminal cancellation information or thesettlement terminal cancellation information, when the main control unit222 has accepted only any one of the user terminal cancellationinformation and the settlement terminal cancellation information.Moreover, the main control unit 222 may perform the cancellation of onlyrelatively new settlements among the past settlements. For example, themain control unit 222 may allow the cancellation of only the settlementswithin 10 minutes since the above-mentioned settlement processing hasfinished.

The credit determination unit 223 receives the user ID and the passwordas well as the terminal information and the upper limit amountinformation from the main control unit 222, as mentioned above. If thecredit determination unit 223 has received the user ID and the passwordas well as the terminal information, the credit determination unit 223performs credit determination. The credit determination is determinationof whether or not the settlement of the payment of an amount identifiedby the above-described upper limit amount information is possible, forthe user identified by the user ID and the password as well as theterminal information. This credit determination also includes processingof so-called authentication regarding whether or not the user islegitimate.

The credit determination unit 223 utilizes data recorded in the creditinformation recording unit 224 for the credit determination includingthe authentication processing.

Data as illustrated in FIG. 7 has been recorded in the creditinformation recording unit 224.

In this embodiment, the user ID, the password, the terminal information,and a credit balance have been recorded in the credit informationrecording unit 224, but are not limited thereto. They are linked to eachuser. It should be noted that, in addition to them, a real name, atelephone number, an e-mail address and the like of each user maynaturally be recorded.

The user ID is the information for identifying each user. The user ID inthis embodiment is the enumeration of the predetermined number ofalphanumeric characters, but is not limited thereto. The user ID isdecided by each user, or otherwise decided by the administrator of thesettlement device 200. If the user ID is decided by the user, theadministrator of the settlement device 200 is notified of the user ID bythe user according to a publicly known or well-known method, and thenotified user ID is recorded in the credit information recording unit224.

The password is information for checking legitimacy of each user. Thepassword in this embodiment is the enumeration of the predeterminednumber of alphanumeric characters, but is not limited thereto. Thepassword is decided by each user. The administrator of the settlementdevice 200 is notified of the password by the user according to thepublicly known or well-known method, and the notified password isrecorded in the credit information recording unit 224.

The terminal information is information for further solidly checking thelegitimacy of each user. Specific examples thereof include the ID numberrecorded in the SIM card, the manufacturing number of the smartphone andthe like, as already described. The terminal information is uniquelydecided for each user terminal 100. The administrator of the settlementdevice 200 is notified of the terminal information, for example, fromthe user, according to the publicly known or well-known method, and thenotified terminal information is recorded in the credit informationrecording unit 224.

The credit balance is a balance that is decided for each user andindicates how much payment can be performed more by the user with thissettlement system. To be more precise, the user can generate theone-time password with an upper limit amount corresponding to the creditbalance, in the user's own user terminal 100. For example, according toa concept similar to that used in the settlement system using the creditcards, in which “amount limit” has been decided for each user dependingon each user's credit, and then the upper limit amount associated withthe one-time password generated in the user terminal 100 is subtracted,or an amount that has already been used for the payment by the user issubtracted, from the amount limit, and thereby, the credit balance canbe decided. In this case, “amount limit” is decided by each user'scredit, and an amount thereof is not necessarily proportional to anamount of cash that each user has at this time point, or the amount ofthe cash that each user has at this time point, which has been graspedby the administrator of the settlement device 200.

When the credit determination unit 223 receives the user ID and thepassword as well as the terminal information and the upper limit amountinformation from the main control unit 222, the credit determinationunit 223 reads out the password, the terminal information, and thecredit balance, which are associated with the user ID identical to thereceived user ID, from the credit information recording unit 224. If theuser ID identical to the user ID received by the credit determinationunit 223 does not exist in the credit information recording unit 224,the credit determination unit 223 does not read out information such asthe password from the credit information recording unit 224. In thiscase, the credit determination unit 223 ceases processing of the creditdetermination.

If the user ID identical to the user ID received from the main controlunit 222 by the credit determination unit 223 has been recorded in thecredit information recording unit 224, and if the password, the terminalinformation, and the credit balance, which are associated with the userID identical to the received user ID, have been read out from the creditinformation recording unit 224, the credit determination unit 223determines whether or not the password and the terminal information,which have been received from the main control unit 222, are identicalto the password and the terminal information which have been read outfrom the credit information recording unit 224. If they have matchedeach other, the credit determination unit 223 authenticates that theuser who has sent the user ID and the like is a legitimate user, and ifat least one of the passwords and the terminal information has notmatched, the credit determination unit 223 determines that the user whohas sent the user ID and the like is not the legitimate user, and ceasesthe credit determination processing. The above is the authenticationprocessing. In the authentication processing, if it is authenticatedthat the user who has sent the password is the legitimate user, thecredit determination unit 223 performs the credit determination ofwhether or not the settlement asked by the user may be allowed.

The credit determination is performed by comparing the upper limitamount information transmitted from the user terminal 100, to the creditbalance read out from the above-described credit information recordingunit 224, which has been linked to the user ID linked to the upper limitamount information. In this embodiment, if the credit balance is equalto or larger than the amount identified by the upper limit amountinformation, the settlement asked by the user is allowed, which,however, is not limited thereto. In that case, the credit determinationunit 223 generates the temporary permission information. In contrast, ifthe credit balance is smaller than the amount identified by the upperlimit amount information, the settlement asked by the user is notallowed. In this case, the credit determination unit 223 does notgenerate the temporary permission information. If the creditdetermination unit 223 has generated the temporary permissioninformation, the temporary permission information is sent to the maincontrol unit 222.

Moreover, the credit determination unit 223 has a function ofidentifying time (a clock function included in the typical computer maybe utilized.), and notifies the main control unit 222 of timeinformation for identifying the time when the credit determination hasbeen performed. This time information is sent from the main control unit222 to the final determination unit 225, and the main control unit 222,which has received it, is supposed to write the time information to thevirtual balance recording unit 229 (FIG. 10).

The final determination unit 225 may receive the position informationsent from the user terminal 100, from the main control unit 222, asmentioned above. The main control unit 222 may also receive thesettlement application information, the user ID, the one-time password,and the amount information, all of which have been sent from thesettlement terminal 300, from the data input/output unit 221. In thisembodiment, the settlement application information, the user ID, theone-time password, and the amount information are collectively sent fromthe settlement terminal 300 to the settlement device 200, and such fourpieces of the information are collectively received by the finaldetermination unit 225, which, however, is not limited thereto. Thefinal determination unit 225 has a function of performing processing offinal determination if the final determination unit 225 has received thesettlement application information, the user ID, the one-time password,and the amount information. The final determination is determination ofwhether or not the payment to the administrator of the settlementterminal 300, which has been desired by the user, is finally allowed.

The final determination unit 225 utilizes information recorded in thesettlement terminal information recording unit 226 if necessary toperform the final determination. Moreover, the one-time passwordprovided from the OTP generation unit 227 via the main control unit 222is also utilized for the final determination.

In the settlement terminal information recording unit 226, a settlementterminal ID and various data related to the settlement terminal havebeen recorded in a state of being linked to each other, as illustratedin FIG. 8.

The settlement terminal ID is for distinguishing and identifying eachsettlement terminal 300. Since there are n settlement terminals 300 inthis embodiment, serial numbers 1 to n that are natural numbers are usedas the settlement terminal ID for identifying each settlement terminal300 in this embodiment, which, of course, is not limited thereto.

As various data related to the settlement terminal 300, an enterprisename, a business type name, a facility name, position information andthe like are recorded. The enterprise name is a name of theadministrator of the settlement terminal 300, or a name of an enterpriseto which the administrator belongs. For example, in this embodiment, ifthe settlement terminal 300 is placed in a store operated by StarbucksCoffee Japan™, the enterprise name of the settlement terminal 300 is“Starbucks,” and also, if the settlement terminal 300 is placed in adirectly managed store of McDonald's Company (Japan), Ltd., or afranchisee thereof, the enterprise name of the settlement terminal 300is “McDonald's,” regardless of the directly managed store or thefranchisee, which, however, are not limited thereto. Moreover, a storename such as “◯◯ branch,” if any, is also added to the enterprise name.The business type name is a business type of the store or the like wherethe settlement terminal 300 is placed, for example, such as restaurants,books, clothing, jewelry, beauty, travel agencies, brick-and-mortarstore retail, and the Internet retail. If the store or the like wherethe settlement terminal 300 is placed is included, for example, as atenant, in a commercial facility such as a shopping mall or a commercialbuilding, the facility name identifies this commercial facility. Thecommercial facility may also be a virtual commercial facility on theInternet. Rakuten Ichiba™ managed by Rakuten, Inc. and Yahoo Shopping™managed by Yahoo Japan Corporation are examples thereof.

The position information is information for identifying a position wherethe settlement terminal 300 linked thereto exists. The positioninformation in this embodiment identifies the position of the settlementterminal 300 with latitude and longitude. In FIG. 8, numbers having acharacter “N” or “S” and positioned on the left of the characteridentify latitudes, in which the former identifies north latitude andthe latter identifies south latitude, and numbers having a character “E”or “W” and positioned on the right of the character identify longitudes,in which the former identifies east longitude and the latter identifieswest longitude, respectively. However, a format of the positioninformation is not limited to a combination of latitude and longitude.It should be noted that the position information generated with the GPSmechanism of the user terminal 100 also has a similar format in thisembodiment.

It should be noted that the position information is not set to thesettlement terminal ID of 4 in FIG. 8. For example, if the settlementterminal 300 is used for settlement for a virtual store on the Internet,the identification of the position of the settlement terminal 300 isless meaningful for a reason to be described later. The positioninformation may not be set to such a settlement terminal 300.

The administrator of the settlement device 200 can be informed of thevarious data related to the settlement terminal 300, for example, bynotifying the administrator of the settlement device 200 thereof by theadministrator of the settlement terminal 300 with appropriate means suchas an e-mail or a letter, when the settlement terminal 300 is installed.The administrator of the settlement device 200 may link the notifiedposition information to the settlement terminal ID of each settlementterminal 300, and record them in the settlement terminal informationrecording unit 226.

To the above-mentioned settlement application information, thesettlement terminal ID of the settlement terminal 300 that hastransmitted the settlement application information is attached. When thefinal determination unit 225 has received the settlement applicationinformation and the one-time password, the final determination unit 225reads out all of the various data related to the settlement terminal300, which is linked to the settlement terminal ID matching thesettlement terminal ID added to the settlement application information,or a necessary part thereof, from the settlement terminal informationrecording unit 226.

The OTP generation unit 227 has a function of generating the one-timepassword.

As mentioned above, when the OTP generation unit 227 receives theinstruction to generate the one-time password from the main control unit222, the OTP generation unit 227 generates the one-time password. Itshould be noted that, a timing at which the one-time password isgenerated in the settlement device 200 may be at an appropriate timingthat is the same time as the generation of the temporary permissioninformation or later, and before the final determination unit 225performs the final determination.

For the way of generating the one-time password, it is possible tofollow the conventional art, and the specific example thereof is asfollows, for example.

In order to generate the one-time password, for example, a method ofassigning a past value to a predetermined function with one initialvalue (which may be two or more initial values) and thereby sequentiallycreating a new value may be executed each time the one-time password isrequired. Thereby, the one-time password that is the above “value” canbe consecutively generated. Such a one-time password becomes apseudo-random number having initial value dependence.

Examples of the function used for creating the above-mentioned “value”include the following (a) to (c). Any of the following (a) to (c) is anexpression for creating X_(N) that is the N-th “value.” Moreover, P, Q,R, and S are natural numbers.

(X _(N))=(X _(N-1))^(F)+(X _(N-2))^(Q)  (a)

(X _(N))=(X _(N-1))^(P)  (b)

(X _(N))−(X _(N-1))^(P)(X _(N-2))^(Q)(X _(N-3))^(R)(X _(N-4))^(S)  (c)

(a) generates a new “value” by using past two “values” to add themraised to the P-th power and the Q-th power, respectively. It should benoted that, precisely, when the past two “values” are used and thevalues raised to the P-th power and the Q-th power are added, the numberof digits increases, and thus the new “value” is actually generated byextracting an appropriate number of digits from the beginning of anobtained value, extracting an appropriate number of digits from the endof the value, or extracting an appropriate number of digits from anappropriate portion of the value or the like.

(b) has the new “value” by using one past “value” to arrange the numberof digits of the value raised to the P-th power as mentioned above.

(c) has the new “value” by using past four “values” to take the productof them raised to the P-th power, the Q-th power, the R-th power, andthe S-th power, respectively, and then arranging the number of digits asmentioned above.

The above-mentioned (a) to (c) are an example of an algorithm forgenerating the one-time password, and a change can be added to thealgorithm when the one-time password is generated, for example, a changecan also be added in which the above-mentioned (a) to (c) are used inrotation or the like. In this embodiment, an enumeration of alphanumericcharacters, which is obtained by performing an appropriate operation forthe “value” obtained as above, is set as the one-time password.

In the generation of the one-time password, the OTP generation unit 227utilizes data recorded in the OTP information recording unit 228. Forexample, data as described in FIG. 9 has been recorded in the OTPinformation recording unit 228. The user ID, the initial value, and thenumber of generation have been recorded in the OTP information recordingunit 228. Only the initial value is essential among them.

The user ID recorded in the OTP information recording unit 228 is thesame as the user ID recorded in the credit information recording unit224, and is for identifying each user. When the OTP generation unit 227receives the instruction to generate the one-time password, from themain control unit 222, the OTP generation unit 227 has also received theuser ID of this user for whom the one-time password is generated. TheOTP generation unit 227 reads out the initial value and the number ofgeneration, which are associated with the user ID, from the OTPinformation recording unit 228, prior to the generation of the one-timepassword.

The initial value is the initial value used when the one-time passwordis generated.

The initial value is different for each user terminal 100. In order toenable generation of the one-time password identical to the one-timepassword generated in the OTP generation unit 124 of each user terminal100, in the OTP generation unit 227 of the settlement device 200, theinitial value identical to the initial value given to each user terminal100 has been recorded in the OTP information recording unit 228. Asmentioned above, the one-time password becomes the pseudo-random numberhaving the initial value dependence. In other words, the one-timepasswords for one user terminal 100 constantly become identical when theone-time passwords in the same order are compared to each other.Accordingly, if the one-time password identical to the initial valueincluded in each user terminal 100 has been prepared in the settlementdevice 200, the settlement device 200 will be able to reproduce theone-time password in any user terminal 100. In this embodiment, thereare two initial values for each user terminal 100 which have beenrecorded in the OTP information recording unit 228. This is because, inthis embodiment, the above-mentioned mathematical expression (a) ofutilizing the past two “values” to generate the new “value” is used togenerate the one-time password, which, however, is not limited thereto.It is only necessary to have recorded the past values required togenerate the new “value,” that is, the one-time password, in the OTPinformation recording unit 228.

The number of generation is a numerical value indicating how many timesthe one-time password for the user terminal 100 has been generated. Asmentioned above, the one-time password is a random number, but is apseudo-random number. When the number of generation is 0, the one-timepassword generated first by using the initial value is used for thefinal determination to be described later; when the number of generationis 1, the one-time password generated second by using theabove-mentioned initial value is used for the final determination; andwhen the number of generation is N, the one-time password generatedN-lth by using the above-mentioned initial value is used for the finaldetermination.

When the OTP generation unit 227 receives the instruction to generatethe one-time password, from the main control unit 222, the OTPgeneration unit 227 reads out the initial value and the number ofgeneration, which are linked to the user ID received with the one-timepassword, from the OTP information recording unit 228. The OTPgeneration unit 227 assigns the initial value to the above-mentionedmathematical expression (a), and generates up to the N-lth values whenthe read out number of generation is N. It becomes the one-time passwordused for the final determination.

It should be noted that the one-time password is generated in a similarmanner also in the OTP generation unit 124 of the user terminal 100. Asmentioned above, the OTP generation unit 124 of the user terminal 100has the same initial value as that recorded in the OTP informationrecording unit 228 of the settlement device 200; can also use the samemathematical expression as that used in the OTP generation unit 227 ofthe settlement device 200 (in the case of this embodiment, themathematical expression (a)); and can record the number of generationidentifying how many times the “value” has been generated in the past,in a similar manner to the recording in the OTP information recordingunit 228. Thereby, the one-time passwords generated in the user terminal100 and the settlement device 200 can be constantly synchronized.

In this way, a method of using the one-time passwords generated in thesame order in the two devices, in order to generate the identicalone-time passwords in two devices that generate the one-time passwords,or to synchronize the one-time passwords, is generally referred to as“event synchronization.” The above-mentioned method employs a one-timepassword approach using the event synchronization. In contrast, in orderto synchronize the one-time passwords, information on time can also beused. Such a one-time password synchronization method is generallyreferred to as “time synchronization.” Both the event synchronizationand the time synchronization are publicly known technologies, and eitherof them can also be used to synchronize the one-time passwords.

In either case, the OTP generation unit 227 sends the generated one-timepassword to the final determination unit 225 via the main control unit222. Moreover, the OTP generation unit 227 adds 1 to the number ofgeneration that has been recorded in the OTP information recording unit228, and has been linked to the user ID of the user terminal 100 inwhich the one-time password for the user terminal 100 has been created,and thereby rewrites the number of generation.

When the main control unit 222 receives the one-time password, the maincontrol unit 222 records the one-time password; the user ID of the userwho has sent the upper limit amount information and the like forgenerating the one-time password; this one-time password; the upperlimit amount of the one-time password; time information indicating dateand time of the generation of the one-time password (in this embodiment,more precisely, date and time when the credit determination has beenperformed); and the additional information if any additional informationhas existed for generating the one-time password, in a state of beingassociated with one another, in the virtual balance recording unit 229.FIG. 10 illustrates an example of data recorded in the virtual balancerecording unit 229.

It should be noted that only the initial value is essential in theinformation to be recorded in the OTP information recording unit 228, asmentioned above. In that case, the one-time password generated in theuser terminal 100 and the one-time password generated in the settlementdevice 200 are synchronized as follows.

First, there is a case without the information on the number ofgeneration. In this case, the OTP generation unit 227 of the settlementdevice 200 repeats processing of erasing the oldest “value” andoverwriting it with one new “value,” each time the new “value” isgenerated. The one-time password generated in the user terminal 100 andthe one-time password generated in the settlement device 200 can besynchronized by repeating similar processing also in the user terminal100, without using the information on the number of generationindicating how many times the “value” has been generated in the past.

The final determination unit 225 receives the settlement applicationinformation, the one-time password, and the amount information from themain control unit 222, as mentioned above. Moreover, before that, thefinal determination unit 225 has received the additional informationtransmitted from the user terminal 100, and the time informationgenerated in the credit determination unit 223, from the main controlunit 222.

Meanwhile, the final determination unit 225 receives the settlementterminal information indicating the position of the settlement terminal300 that has sent the settlement application information to thesettlement device 200, from the position information recording unit 226,and also receives the one-time password from the OTP generation unit227.

The final determination unit 225 compares the one-time password from thesettlement terminal 300, which has been received via the main controlunit 222, to the one-time password from the OTP generation unit 227,which has also been received via the main control unit 222. As a result,only when both of two conditions have all been satisfied, the finaldetermination unit 225 finally makes a decision to allow the payment ofmoney of amount identified with the amount information to theadministrator of the settlement terminal 300 from the user of the userterminal 100, both of the two conditions being a condition that theabove compared two one-time passwords match each other; and a conditionthat a time when this comparison has been performed is within apredetermined time, for example, 5 minutes, or within 30 minutes, fromthe time identified by the time information accepted from the creditdetermination unit 223 via the main control unit 222. If any of thethree conditions is not satisfied, the final determination unit 225finally makes a decision not to allow the above described payment.However, when the additional condition, which is an added condition as acondition for allowing the payment by the final determination unit 225,has been added with the additional information, the final determinationunit 225 determines to allow the payment only if the additionalcondition has also been satisfied in addition to the above twoconditions.

If any of the above two conditions or any of the additional condition isnot satisfied, the final determination unit 225 finally makes a decisionnot to allow the above-described payment. These both decisions arereferred to as “final determination.”

If the final determination unit 225 has performed the finaldetermination, the final determination unit 225 sends the finaldetermination data that is data indicating a result of the finaldetermination, to the main control unit 222. If the payment has beenallowed in the final determination, the main control unit 222, which hasreceived it, performs processing for allowing the payment of an amountof money identified by the amount information, from the user of the userterminal 100 that has generated the one-time password used to performthis final determination, to the administrator of the settlementterminal 300 that has sent the amount information with the one-timepassword. The processing includes subtraction of the amount identifiedby the amount information, from a virtual balance recorded in thevirtual balance recording unit 229 in a state of being associated with aone-time password identical to the one-time password sent from thesettlement terminal 300 with the amount information. In this way, thedata in the virtual balance recording unit 229 is rewritten each timethe payment with the one-time password has been performed. Moreover, arelated financial institution or the like is notified of content of thepayment settled in the settlement device 200 if the content is requiredin order for the administrator of the settlement device 200 to receivethe user's money, or to realize the processing of the payment to theadministrator of the settlement terminal 300.

Meanwhile, if the payment has not been allowed in the finaldetermination, the main control unit 222 does not perform theabove-mentioned processing. The main control unit 222 sends contentbased on the final determination data to the data input/output unit 221so that the content is sent via the transmission and reception unit andthe network 400, to the settlement terminal 300 that has transmitted thesettlement application information that becomes the basis of the finaldetermination.

The settlement terminal 300 will be described next.

The settlement terminal 300 is generally the same as a settlementterminal used in the settlement system using the credit cards, and is atypical computer. A hardware configuration thereof may be equivalent tothat of the settlement terminal in the conventional settlement system.

It should be noted that the settlement terminal 300 includes the touchpanel display, whose illustration is omitted. As a result, it means thatthe settlement terminal 300 includes the display and an input device.However, instead, while the settlement terminal 300 may include adisplay without a touch panel, and an input device including necessaryinput devices selected from publicly known or well-known input devicessuch as a numeric keypad, a keyboard, a mouse, and a trackball, so thatthe display and the input device are separated, the descriptioncontinues below assuming that the settlement system in this embodimentincludes a touch panel keyboard.

The hardware configuration of the settlement terminal 300 is illustratedin FIG. 11.

The hardware includes a CPU 311, a ROM 312, a RAM 313, and an interface314, which are interconnected by a bus 316.

The CPU 311 is an operational device that performs operations. The CPU311, for example, executes a computer program recorded in the ROM 312 tothereby execute the processing to be described later. This computerprogram may have been pre-installed in the settlement terminal 300, ormay be installed in an ex-post manner. The installation of this computerprogram in the settlement terminal 300 may be performed via thepredetermined recording medium such as the memory card, or may beperformed via the network such as the LAN or the Internet.

The ROM 312 has recorded the computer program and data required toexecute the processing to be described later by the CPU 311. Thecomputer program recorded in the ROM 312 is not limited thereto, and anyother necessary computer programs may be recorded.

The RAM 313 provides a work area required to perform the processing bythe CPU 311.

The interface 314 performs data exchange between the CPU 311, the RAM313 and the like, which are connected via the bus 316, and the outside.The Interface 314 is at least connected to the transmission andreception unit, whose illustration is omitted. The data received by thetransmission and reception unit from the network 400 is received by theinterface 314, and the data passed from the interface 314 to thetransmission and reception unit is sent by the transmission andreception unit, via the network 400 to the outside, for example, to thesettlement device 200.

The interface 314 is also connected to the input device provided on thetouch panel display so as to accept input from the input device. Theinterface 314 is connected to the touch panel display so as to send datafor displaying the images to be described later, to the touch paneldisplay.

Functional blocks as illustrated in FIG. 12 are generated within thesettlement terminal 300 by executing the computer program by the CPU311. It should be noted that while the following functional blocks maybe generated with functions of the above-mentioned computer programalone for causing the settlement terminal 300 to function as thesettlement terminal of the invention of the present application, thefollowing functional blocks may be generated in cooperation with theabove-mentioned computer program and the OS and other computer programsinstalled in the settlement terminal 300.

A control unit 320 as follows is generated within the settlementterminal 300 in connection with the functions of the invention of thepresent application, and a main control unit 321, a display control unit322, and a data input/output unit 323 are generated within the controlunit 320.

The control unit 320 executes the information processing as describedbelow.

The main control unit 321 performs the entire control within the controlunit 320. For example, the main control unit 321 performs control of thedisplay control unit 322 based on data received from the datainput/output unit 323 to be detailed later.

The main control unit 321 receives the user ID, the one-time passwordgenerated in the user terminal 100, the settlement applicationinformation, and the amount information from the data input/output unit323 to be described later. Then, when all of them have been received,they are sent to the data input/output unit 323. The main control unit321 may receive the settlement terminal cancellation information to bedescribed later, from the data input/output unit 323. If the maincontrol unit 321 has received the settlement terminal cancellationinformation, the main control unit 321 sends it to the data input/outputunit 323 at an appropriate timing. Moreover, the main control unit 321holds the settlement terminal ID unique to each settlement terminal 300in order to distinguish each settlement terminal 300. The settlementterminal ID is included in the settlement application information by themain control unit 321.

The display control unit 322 performs control of the images to bedisplayed on the touch panel display under control of the main controlunit 321. The images based on data sent from the display control unit322 are displayed on the display. The main control unit 321 sends aninstruction on what image should be displayed on the display, to thedisplay control unit 322.

The data input/output unit 323 performs data input and output to thecontrol unit 320. Specifically, the data input/output unit 323 receivesthe input from the input device. An example of data inputted from theinput device to the data input/output unit 323 is as described above,and includes the user ID, the one-time password, and the settlementapplication information. They are sent to the main control unit 321.Moreover, the settlement terminal cancellation information may beinputted from the input device.

Moreover, the data input/output unit 323 outputs the data to thetransmission and reception unit, whose illustration is omitted. The dataoutputted to the transmission and reception unit includes, for example,the user ID, the one-time password, the settlement applicationinformation, the amount information, and the settlement terminalcancellation information, and they are sent from the transmission andreception unit to the settlement device 200 via the network 400. Itshould be noted that the user ID and the one-time password are asalready described. The amount information is information identifying anamount of money that a person, who intends to perform the payment withthe one-time password, intends to pay. The settlement applicationinformation is information for requesting the settlement device 200 toperform the final determination of the settlement. Moreover, thesettlement terminal cancellation information is information indicatingan indication of intention of the administrator of the settlementterminal 300 for cancellation of one of the past settlements that havealready been finished, and is inputted by the administrator of thesettlement terminal 300 with the input device. The settlement terminalcancellation information includes at least information identifying oneof the past settlements that the administrator desires to cancel.

A method of using the settlement system as described above, andoperations thereof will be described next with reference to FIG. 20.

When this system is used to perform the settlement, first, the useroperates the user's own user terminal 100 to start the settlementprocessing (S911). This operation is, more specifically, an operationfor starting the generation of the one-time password. As the operation,the user inputs information indicating the start of the processing. Forexample, this information can be inputted by touching an icon displayedon the display 101 of the user terminal 100, whose illustration isomitted.

The information is sent from the data input/output unit 123 to the maincontrol unit 121. When the main control unit 121 accepts theinformation, the main control unit 121 sends an instruction to displaysuch an image for prompting the user to input the user ID and the likeon the display 101, to the display control unit 122. The display controlunit 122, which has accepted this instruction, displays, for example, animage for prompting the user to input the user ID, the password, and theamount for which the user intends to perform the payment, on the display101, as illustrated in FIG. 13(A). The user inputs the user ID on theright of a field denoted as “User ID,” inputs the password on the rightof a field denoted as “Password,” and inputs the upper limit amount thatis the upper limit of the amount for which the user intends to pay onthe right of a field denoted as upper limit amount in yen respectively(S912). Data on the user ID and the password, which have been inputtedby the user, is inputted from the input device 102 to the datainput/output unit 123, and sent to the main control unit 121. Whileinformation identifying the upper limit amount is the upper limit amountinformation, this upper limit amount information is also similarly sentto the main control unit 121. Since the user ID, the password, and theupper limit amount, which have been inputted by the user, are displayedon the display 101, also including during the input, under control ofthe display control unit 122 controlled by the main control unit 121,the user can input the user ID, the password, and the upper limit amountwhile checking the display 101. According to an example illustrated inFIG. 13(B), the user intends to use this settlement system to make theown user terminal 100 issue a one-time password to perform the paymentof 25000 yen.

As illustrated in FIG. 13(A), in this embodiment, on a lower side of ascreen prompting the user to input the user ID and the like, check boxesare displayed for causing the user to decide whether or not to split theupper limit amount, and whether or not to add the additional condition,but are not necessarily limited thereto. This display is realizedthrough an instruction sent to the display 101 by the display controlunit 122, according to an instruction from the main control unit 121.

When the user inputs a check in a check box on the left of characterssaying “Split the upper limit amount” as illustrated in FIG. 13(B), thecheck means that the user has provided an indication of intention of“Split the upper limit amount.” Similarly, when the user inputs a checkin a check box on the left of characters saying “Add additionalconditions” as illustrated in FIG. 13(B), the check means that the userhas provided an indication of intention of “Add additional conditions.”

It should be noted that, as will be described later, if the upper limitamount has not been split, one one-time password corresponding to theupper limit amount information corresponding to that one upper limitamount will be generated in the user terminal 100. In contrast, if theupper limit amount has been split into multiple split amounts, as manyone-time passwords as the number of the split amounts, corresponding torespective pieces of spit amount information corresponding to therespective spit amounts will be generated.

When the user inputs the check in the check box on the left of thecharacters saying “Split the upper limit amount,” for example, an imageas illustrated on the left side of FIG. 14(A) is displayed on thedisplay 101. In this example, the split of the upper limit amount of25000 yen into units of 10000 yen, 5000 yen, and 1000 yen, which arepredefined units, is required. In this case, the user can decide how tocombine 10000 yen, 5000 yen, and 1000 yen by selecting the number ofeach of them. In an example as illustrated on the right side of FIG.14(A), a state of the upper limit amount of 25000 yen being split intoone 10000 yen and three 5000 yen is illustrated.

Instead, an image as illustrated on the left side of FIG. 14(B) can bedisplayed on the display 101. In this case, how to split 25000 yen iscompletely left to the user, and merely multiple simple frames areprepared for the user to write amounts after the split of the upperlimit amount. In an example as illustrated on the right side of FIG.14(B), a state of the upper limit amount of 25000 yen being split into21000 yen and 4000 yen is illustrated.

In either case of FIGS. 14(A) and 14(B), when the user clicks an upperright button saying “Decide,” the upper limit amount is split in amanner inputted by the user, and is defined, and then the display of thedisplay 101 returns to a state of FIG. 13. According to the input by theuser, the upper limit amount will be represented as a sum of the splitamounts by the split amount information identifying the multiple splitamounts (in the above-mentioned former example, one 10000 yen, three5000 yen, which are a total of four split amounts, and in theabove-mentioned latter example, one 21000 yen and one 4000 yen, whichare a total of two split amounts). This processing is performed by themain control unit 121. In this embodiment, it is assumed that the latterof the above-mentioned cases has been selected by the user.

When the user inputs the check in the check box on the left of thecharacters saying “Add additional conditions,” for example, an image asillustrated in FIG. 15(A) is displayed on the display 101. This displayis realized through the instruction sent to the display 101 by thedisplay control unit 122, according to the instruction from the maincontrol unit 121.

In this example, as the additional condition, content indicatinglimitation of any of a place of a payment recipient, a business type andthe like of the payment recipient, and a payment period can be selectedas the additional condition. The user can operate the input device 102to select arbitrary one of them. In an example of FIG. 15(A), a checkinputted in any of check boxes positioned on the left of three choicesmeans that the choice corresponding to the checked check box has beenselected by the user.

The check has been inputted in all the check boxes in FIG. 15(B). Inthis embodiment, in addition to only one check box, the user can inputthe check in multiple check boxes and thereby add multiple additionalconditions to the one-time password to be described later, which iscreated from one piece of the upper limit amount information, which,however, is not necessarily required. It should be noted that, in thisembodiment, only one one-time password may be created, or multipleone-time passwords may be created, from one piece of the upper limitamount information.

If the multiple one-time passwords are generated from one piece of theupper limit amount information, all of the additional conditions to beset to all of the one-time passwords may or may not be the same. As isself-evident at least for those skilled in the art, if the additionalconditions are set to the respective split amounts causing therespective one-time passwords to be generated, for example, as follows,the additional conditions to be set to the multiple one-time passwordscreated from one piece of the upper limit amount information can bedifferent from one another. In this embodiment, if the multiple one-timepasswords are generated from one piece of the upper limit amountinformation, the additional conditions to be set to all of the one-timepasswords can be different, which, however, is not limited thereto.

When the user inputs a check in a check box on the left of characterssaying “Limit the place of the payment recipient,” the settlementterminal 300 that can receive the payment is restricted by sending theone-time password to the settlement device 200 so that the payment isallowed only when the one-time password generated in the user terminal100 has been sent to the settlement device 200 from the settlementterminal 300, which exists close to the position of the user terminal100 when the user terminal 100 has generated the upper limit amountinformation and sent the upper limit amount information with other datato the settlement device 200, as will be described later. It should benoted that, while the additional information may also be generatedbelow, if multiple pieces of the additional information are generated,the multiple pieces of the additional information are collected as onepiece of the additional information including the multiple additionalconditions.

When the user inputs the check in the check box on the left of thecharacters saying “Limit the place of the payment recipient,” data forperforming the above-mentioned restriction related to the payment withthe one-time password, that is, the additional information will begenerated by the main control unit 121.

When the user inputs a check in a check box on the left of characterssaying “Limit the business type and the like of the payment recipient,”for example, an image as illustrated in FIG. 16(A) is displayed on thedisplay 101. In this example, the business type and the like of thepayment recipient with the one-time password can be restricted in fourformats.

Four restrictions in this example include, from the top, a restrictionof the business type of the payment recipient, a restriction of a groupof the payment recipient, a restriction of a facility of the paymentrecipient, and a restriction of a store of the payment recipient.

“Business type” in the restriction of the business type of the paymentrecipient corresponds to data of “business type name” recorded in thesettlement terminal information recording unit 226, and specificexamples thereof include restaurants, books, clothing, jewelry, beauty,travel agencies, brick-and-mortar store retail, the Internet retail, andthe like. The user can write one of the above-illustrated business typesin a frame on the right of a section of “Business Type” (it would befurther convenient if multiple selection is also possible.), and therebyrestrict the payment recipient with the one-time password only to thewritten business type. It should be noted that, for this selection, asuggestion function or a pull-down menu function, which are well knownor publicly known, can be used to reduce a burden placed on the user. Itshould be noted that this is also similar in other cases. It should benoted that, in order to realize such a suggestion function or such apull-down function, for example, necessary data from the various datarecorded in the settlement terminal information recording unit 226 ofthe settlement device 200 may have been recorded in the recording mediumincluded in the user terminal 100, or the necessary data from the datarecorded in the settlement terminal information recording unit 226 ofthe settlement device 200 may have been made available to the userterminal 100. In either case, such specifications can be realized by apublicly known or well-known technology.

“Group” in the restriction of the group of the payment recipientgenerally corresponds to data of “enterprise name” recorded in thesettlement terminal information recording unit 226, and is made byremoving the store name from the data of “enterprise name” recorded inthe settlement terminal information recording unit 226 (for example,made by removing “Shimbashi branch” from data of “McDonald's (Shimbashibranch),” for the settlement terminal of the settlement terminal ID of 1in FIG. 8). In this case, the user writes “McDonald's,” “Starbucks,” orthe like in a frame on the right of a section of “Group” (it would befurther convenient if the multiple selection is also possible.). Thus,the payment performed with the one-time password becomes possible onlyin the case of the payment to a specific group enterprise.

“Facility” in the restriction of the facility of the payment recipientcorresponds to data of “facility name” recorded in the settlementterminal information recording unit 226, and an example thereof is aname of the commercial facility such as the shopping mall or thecommercial building. The user can write one of facility names in a frameon the right of a section of “Facility” (it would be further convenientif the multiple selection is also possible.), and thereby restrict thepayment recipient with the one-time password only to a case where theone-time password has been sent from the settlement terminal 300 placedat the store positioned within the written facility, to the settlementdevice 200.

“Store” in the restriction of the store of the payment recipientcorresponds to the data of “enterprise name” recorded in the settlementterminal information recording unit 226, and identifies each store wherethe settlement terminal 300 is placed. In this case, the user performswriting to identify a specific store such as “McDonald's (Shimbashibranch)” as a pinpoint in a frame on the right of a section of “Store”(it would be further convenient if the multiple selection is alsopossible.). Thus, the payment performed with the one-time passwordbecomes possible only if the one-time password has been sent from thesettlement terminal 300 placed in the specific store, to the settlementdevice 200.

When the user clicks an upper right button saying “Decide” on thedisplay in FIG. 16, data for limiting the business type and the like ofthe payment recipient, that is, the additional information is generatedby the main control unit 121, and the display of the display 101 returnsto a state of FIG. 15.

It should be noted that, in the above restrictions in the four formats,the restrictions in multiple formats can also be employed incombination. In that case, it is also free to enable or disable the userto decide whether multiple restrictions are related to one another with“and” or “or,” or the like. It should be noted that, in FIG. 16(B), astate is illustrated where “◯◯ mall” has been selected as therestriction of the business type and the like of the payment recipient.In this case, the restriction is imposed to the one-time password suchthat the payment is allowed only if the one-time password has been sentfrom the settlement terminal 300 placed in a store within a facilitynamed “◯◯ mall,” to the settlement device 200.

When the user inputs a check in a check box on the left of characterssaying “Limit the payment period,” for example, an image as illustratedin FIG. 17(A) is displayed on the display 101. In this example, a periodof the payment with the one-time password is restricted by specifying astart time thereof and an end time thereof, respectively.

“YYYY/MM/DD/hh/mm” is written on the right of each of sections of “StartPayment” and “End Payment” on the display 101 as illustrated in FIG.17(A). As is well known, among them, “YYYY” denotes the Christian era,“MM” demotes the month, “DD” denotes the date, “hh” denotes the hour,and “mm” denotes the minute, respectively.

The user can select a period in which the payment with the one-timepassword is possible, by himself by writing in the above-describedsections of “Start Payment” and “End Payment,” for example, asillustrated in FIG. 17(B). In this example, the period in which thepayment with the one-time password is possible is one day on Dec. 25,2016.

When the user clicks an upper right button saying “Decide” on thedisplay in FIG. 17, data for limiting the payment period, that is, theadditional information is generated by the main control unit 121, andthe display of the display 101 returns to the state of FIG. 15.

Finally, when the user clicks an upper right button saying “Decide”displayed on the display 101 in the state of FIG. 15, the additionalconditions are defined, and the additional information is also definedaccordingly. Then, the display of the display 101 returns to the stateof FIG. 13.

It should be noted that, regarding a way of limiting the payment period,regardless of the illustration, for example, a restricted time since anappropriate timing after the start of processing for generating theone-time password in the user terminal 100, or as a more practicalillustration, since the generation of the temporary permissioninformation, may be identified. For example, the user may be enabled toprovide a limit of the payment period, such as 30 minutes within thegeneration of the temporary permission information, on the user's ownwill.

After the input of the user ID, the password, and the upper limit amountinformation has been finished, and the split of the upper limit amountinformation and the generation of the additional information have beenperformed if necessary, when the display of the display 101 is put intothe state of FIG. 13, the user clicks a button saying “Decide” displayedon the display 101.

When the user clicks the button saying “Decide,” the GPS mechanismgenerates the position information on the user terminal, which isinformation identifying a position where the user terminal 100 exists.The position information is sent from the data input/output unit 123 tothe main control unit 121. In addition to the user ID, the password, andthe upper limit amount information (multiple pieces of the split amountinformation may be included.), possibly as well as the additionalinformation, the main control unit 121 collects the positioninformation, and the terminal information recorded in the recordingmedium of the main control unit 121, whose illustration is omitted, alltogether and sends them to the data input/output unit 123. The datainput/output unit 123 collectively sends the data to the transmissionand reception unit, and the transmission and reception unit collectivelysends the data to the settlement device 200 via the network 400 (S913).Since the user clicks the button saying “Decide,” transmission of theabove five pieces of the data to the settlement device 200 is executedat least, for example, within several seconds generally in real time.

The settlement device 200 accepts the data at its transmission andreception unit (S921). The transmission and reception unit sends all ofthe data to the data input/output unit 221, and the data input/outputunit 221 sends all of the data to the main control unit 222. The maincontrol unit 222 sends the user ID, the password, the terminalinformation, and the upper limit amount information to the creditdetermination unit 223.

The credit determination unit 223 executes the credit determination(S922). The credit determination is specifically executed as follows.

When the credit determination unit 223 receives the user ID, thepassword, and the terminal information from the main control unit 222,the credit determination unit 223 reads out the password, the terminalinformation, and the credit balance, which are associated with the userID identical to the received user ID, from the credit informationrecording unit 224. If the user ID identical to the user ID received bythe credit determination unit 223 does not exist in the creditinformation recording unit 224, the credit determination unit 223 doesnot read out the information such as the password from the creditinformation recording unit 224. In this case, the credit determinationunit 223 ceases the processing of the credit determination.

In this embodiment, as illustrated in FIG. 13(B), since the user IDinputted to the user terminal 100 by the user is “d2af1apfa,” and theuser ID identical thereto exists on the second row from the top of thecredit information recording unit 224 (FIG. 7), the credit determinationunit 223 reads out the password (aofau554), the terminal information(012457854), and the credit balance (2956002 yen), which are linked tothe user ID, from the credit information recording unit 224.

If the user ID identical to the user ID received from the main controlunit 222 by the credit determination unit 223 has been recorded in thecredit information recording unit 224, and if the password, the terminalinformation, and the credit balance, which are associated with the userID identical to the user ID received from the main control unit 222,have been read out from the credit information recording unit 224, thecredit determination unit 223 determines whether or not the password andthe terminal information, which have been received from the main controlunit 222, are identical to the password and the terminal informationwhich have been read out from the credit information recording unit 224.If they have matched each other, the credit determination unit 223authenticates that the user who has sent the user ID and the like is thelegitimate user. In contrast, if at least one of the password and theterminal information has not matched, it is determined that the user whohas sent the user ID and the like is not the legitimate user, and thecredit determination processing is ceased.

Next, the credit determination for the authenticated user is executed.The credit determination unit 223 compares the upper limit amountinformation sent by the user, to the credit balance read out from theabove-described credit information recording unit 224, which has beenlinked to the user ID of the user. In this embodiment, if the creditbalance is equal to or larger than the amount identified by the upperlimit amount information, the settlement asked by the user is allowed,which, however, is temporal. In contrast, if the credit balance issmaller than the amount identified by the upper limit amountinformation, the settlement asked by the user is not allowed. In thisexample, since the credit balance (2956002 yen) is larger than theamount (25000 yen) identified by the upper limit amount information, thesettlement asked by the user is allowed. If this settlement is allowed,the credit determination unit 223 generates the temporary permissioninformation (S923). If the credit determination unit 223 has generatedthe temporary permission information, the temporary permissioninformation is sent to the main control unit 222.

It should be noted that, if the credit determination unit 223 hasgenerated the temporary permission information, the credit determinationunit 223 notifies the main control unit 222 of the time information foridentifying the time when the credit determination has been performed.This time information is sent from the main control unit 222 to thefinal determination unit 225, along with the user ID in order toidentify who is the user who has been temporarily allowed the settlementin the temporary permission information.

The main control unit 222 sends the temporary permission information tothe data input/output unit 221. The data input/output unit 221 transmitsthe temporary permission information to the user terminal 100 via thetransmission and reception unit and the network 400 (S924).

Meanwhile, when the main control unit 222 receives the temporarypermission information, the main control unit 222 sends the instructionto generate the one-time password, to the OTP generation unit 227.

The user ID received by the main control unit 222 is attached to theinstruction to generate the one-time password. The OTP generation unit227 reads out the initial value and the number of generation, which arelinked to the user ID corresponding to that user ID, from the OTPinformation recording unit 228. Moreover, in the instruction to generatethe one-time password, if the upper limit amount information includesthe split amount information, information identifying at least thenumber of pieces of the split amount information (or may also be thesplit amount information itself.) is included.

Processing of generating the one-time password performed by the OTPgeneration unit 227 with information on the initial value and the numberof generation, which have been recorded in the OTP information recordingunit 228, becomes exactly the same as processing of generating theone-time password, which is executed as will be described later in theuser terminal 100 that has transmitted the upper limit amountinformation or the like sent for generating the temporary permissioninformation. Accordingly, unless there is fraud by a third partysomewhere in the generation of the one-time password performed in theuser terminal 100, the transmission of the one-time password from thesettlement terminal 300 to the settlement device 200, or the like, theprocessing of generating the one-time password performed in the userterminal 100 and the processing of generating the one-time passwordperformed in the settlement device 200 are completely synchronized. Theone-time password is linked to the upper limit amount information. Whenthe upper limit amount information includes the multiple pieces of thesplit amount information, the one-time password is linked to each of themultiple pieces of the split amount information. In other words, in thelatter case, as many one-time passwords as the number of pieces of thesplit amount information will be generated. For example, as mentionedabove, in this embodiment, a case has been illustrated where the upperlimit amount information identifying the upper limit amount of 25000yen, which has been generated in the user terminal 100, includes twopieces of the split amount information, that is, the split amountinformation identifying the split amount of 21000 yen, and the splitamount information identifying the split amount of 4000 yen. In thatcase, the OTP generation unit 227 generates two one-time passwords to belinked to the respective pieces of the split amount information (S925).

When the OTP generation unit 227 has generated the one-time password,the OTP generation unit 227 sends the one-time password or the one-timepasswords to the main control unit 222 with the user ID, in order toidentify which user or which user terminal 100 each one-time passwordhas been generated for. As mentioned above, the main control unit 222has previously received the user ID, the password, and the upper limitamount information, and possibly the additional information in advance.When the main control unit 222 receives the one-time password, the maincontrol unit 222 records the user ID, the one-time password, the upperlimit amount information (or the split amount information), and theadditional information, if any, in a state of being linked to oneanother in the virtual balance recording unit 229 (S926). Then, theupper limit amount is recorded as virtual balance informationidentifying the virtual balance, in the virtual balance recording unit229. The virtual balance indicates the amount limit for one one-timepassword at the time point when the payment can be performed with oneone-time password, and has a property in which the virtual balancebecomes smaller each time the payment with the one-time password hasbeen performed. The upper limit amount is used as an initial value ofthe virtual balance.

As described in the example of FIG. 10, two one-time passwords includingone-time passwords of 01563894451 and f23aa012200 are made to correspondto the user ID of d2af1apfa. Moreover, these two one-time passwords aremade to correspond to two virtual balances (upper limit amounts) of21000 yen and 4000 yen, respectively. Moreover, as recorded in thevirtual balance recording unit 229, the one-time password of 01563894451has been provided with the additional condition that the payment withthe one-time password is possible only in response to a request from thesettlement terminal 300 placed in the store within the shopping mallnamed “◯◯ mall,” and the one-time password of f23aa012200 has beenprovided with the additional condition that the payment with theone-time password is possible only in response to a request from thesettlement terminal 300 close to the user terminal.

It should be noted that both the processing of S925 and S926 and theprocessing of S924 as described above may be executed after thegeneration of the temporary permission information, regardless of theorder of the processing.

The transmission and reception unit of the user terminal 100 receivesthe temporary permission information sent from the settlement device 200(S914). The received temporary permission information is sent from thedata input/output unit 123 to the main control unit 121. The maincontrol unit 121, which has received the temporary permissioninformation, notifies the OTP generation unit 124 of the reception ofthe temporary permission information.

The OTP generation unit 124, which has received this notification,generates the one-time password (S915). The OTP generation unit 124 hasthe initial value for generating the one-time password, and has recordedthe number of generation indicating how many times the one-time passwordhas been generated in the past. Moreover, the OTP generation unit 124can use the mathematical expression for generating the one-time password(that is, the algorithm.). The OTP generation unit 124 generates thevalues one after another by repeating processing of assigning theinitial value to the above-mentioned mathematical expression andassigning the obtained value to the mathematical expression again toobtain the next value. The OTP generation unit 124 sets the valuecreated at the number of times larger than the number indicated by thenumber of generation by one, as the one-time password to be used then.This processing of generating the one-time password is the same as theprocessing executed in the settlement device 300. The number of theone-time passwords to be generated is one if the upper limit amountinformation, which has caused the reception of the temporary permissioninformation and has been sent from the user terminal 100 to thesettlement device 200, does not include the split amount information;and the number of the one-time passwords to be generated is the samenumber as the number of pieces of the split amount information if theupper limit amount information includes the multiple pieces of the splitamount information. This situation is also similar to the settlementdevice 300.

The generated one-time password is sent to the main control unit 121.The main control unit 121 sends an instruction to display the one-timepassword on the display 101, to the display control unit 122. Forexample, an image as illustrated in FIG. 18(A) is displayed on thedisplay 101 under the display control of the control unit 122. If themultiple one-time passwords have been generated, all of them areindicated to the user by collectively displaying the multiple one-timepasswords on the display 101, or by switching the display to therebyconsecutively display the multiple one-time passwords on the display101. Moreover, these one-time passwords are saved, for example, in themain control unit 121 so that they can be displayed on the display 101whenever there is a request from the user.

This one-time password is utilized like a credit card number in theconventional settlement system using the credit cards, but has a limitedtime during which the one-time password is valid (can be used in thesettlement), as will be described later. From the side of calling theuser's attention, as illustrated in FIG. 18(A), such a display as “Thisone-time password is valid for a week from now” is preferably performedon the display 101 at an appropriate timing, regardless of whether ornot the display is performed along with the one-time password.

It should be noted that, as mentioned above, the credit determinationunit 223 of the settlement device 200 may also not generate thetemporary permission information, if the credit determination has beenceased, if the credit balance for the user has been insufficient, or thelike. In this case, naturally, the temporary permission information isnot transmitted to the user terminal 100. However, also in this case,some data may be transmitted from the settlement device 200 to the userterminal 100, and a fact that the temporary permission information hasnot been generated in the settlement device 200 (from the user'sviewpoint, a procedure of the settlement cannot be continued.), and areason thereof, if required, may be displayed on the display 101 of theuser terminal 100.

In that case, for example, such an image as illustrated in FIG. 18(B) isdisplayed on the display 101 of the user terminal 100. This image isalso displayed on the display 101 by the display control unit 122,according to the instruction from the main control unit 121. In the caseof this figure, as is apparent from a check in a square check box on theleft, it is indicated to the user that the reason why the procedure ofthe settlement cannot be continued is because the password is notcorrect.

When the one-time password is displayed on the display 101 of the userterminal 100, the user is put into a state where the user can performthe payment to the third party with the one-time password, except wherethe payment is not allowed due to the additional condition.

The user passes the one-time password to the settlement terminal 300 atthe user's desired timing, for example, by inputting the one-timepassword to the settlement terminal 300 (S931). If the one-time passwordhas previously been generated, the one-time password will be passed tothe settlement terminal 300 without time and effort.

As mentioned above, the settlement terminal 300 includes the touch paneldisplay, whose illustration is omitted. On the touch panel display, forexample, as illustrated in FIG. 19(A), a display for prompting the useror the like to input the user ID, the one-time password, and the paymentamount is performed. The payment amount is information identifying anamount to be paid to the administrator of the settlement terminal 300 bythe user, and data generated by the input thereof is the amountinformation as described in the present application. This display isperformed by the display control unit 322 under control of the maincontrol unit 321 of the settlement terminal 300. The user inputs theuser ID on the right of a field displayed as “User ID,” inputs theone-time password on the right of a field displayed as “OTP,” and inputsthe payment amount on the right of a field displayed as “Payment amount”through manual operations on the touch panel display.

The state in which the user operates the display of the settlementterminal 300 to input the user ID, the one-time password, and thepayment amount is shown in FIG. 19(B). Since the user ID and theone-time password, which have been inputted by the user, are displayedon the display, also including during the input, under control of thedisplay control unit 322 controlled by the main control unit 321, theuser can input the user ID and the one-time password while checking thedisplay.

It should be noted that, in this embodiment, the one-time passwordgenerated through the manual input from the user in the user terminal100 is to be passed to the settlement terminal 300, which, however, isnot limited thereto, and also, for example, after the display 101 of theuser terminal 100 is imaged by a camera included in the settlementterminal 300 or connected to the settlement terminal 300, predeterminedimage processing can be performed for an image including the display 101in the settlement terminal 300, so that the settlement terminal 300 mayidentify the one-time password displayed on the display 101.Alternatively, the one-time password displayed as a one-dimensional ortwo-dimensional bar code on the display 101 of the user terminal 100 isread by a bar-code reader included in the settlement terminal 300, andthereby, the one-time password generated in the user terminal 100 canalso be passed to the settlement terminal 300. Moreover, the one-timepassword can also be passed as data from the user terminal 100 to thesettlement terminal 300 through wireless communication such as Bluetoothor infrared communication. It should be noted that, if the one-timepassword is passed from the user terminal 100 to the settlement terminal300 through the wireless communication, the one-time password is notnecessarily required to be displayed on the display 101 of the userterminal 100.

It should be noted that a method of delivering the one-time passwordfrom the user terminal 100 to the settlement terminal 300 is not limitedthereto. The user can print the one-time password generated in the userterminal 100, or information identifying the one-time password on paper,for example, with a publicly known or well-known printer owned by theuser. In this case, the user is not required to generate the one-timepassword at a place where the user intends to perform the payment (in astore, or near the store), and may perform the generation at home or aplace where the printer exists. The paper having the one-time passwordprinted thereon can be used as a cash voucher similarly to money (orpaper money), and as a tool for the payment through delivery of thepaper. The user can perform the settlement by delivering the cashvoucher to the administrator of the settlement terminal 300. An exampleof this cash voucher is illustrated in FIGS. 23 and 24.

FIG. 23 is an example of a cash voucher having the one-time passwordprinted thereon, in which FIG. 23(A) illustrates a front side of onecash voucher, and FIG. 23(B) illustrates a back side of the cashvoucher. The one-time password is printed on the cash voucher. In thisembodiment, while a number of 01563894451 has been generated as theone-time password in the user terminal 100, as an example, the firsthalf thereof is printed as a part of the one-time password (OTP1) on thefront side of the cash voucher, and the second half thereof is printedas a rest part of the one-time password (OTP2) on the back side of thecash voucher. While the entire one-time password may be printed oneither of the front side or the back side of the cash voucher, when theone-time password is printed across both sides of the cash voucher inthis way, it becomes difficult for a malicious third party to steal aglance at the entire one-time password or secretly take a photo thereof.Moreover, on the cash voucher in FIG. 23, a face F of a person supposedto use this cash voucher to perform the payment (the person is notnecessarily the user who has generated the one-time password.) isprinted. With such a cash voucher, it is possible to make a rule thatonly if a face of a person who has passed the cash voucher to theadministrator of the settlement terminal 300 has matched the faceprinted on the cash voucher, the administrator of the settlementterminal 300 performs subsequent processing related to the settlement,and execution of such a rule can reduce a risk of fraudulent use of acash voucher (fraudulent payment) by a person who has fraudulentlyobtained the cash voucher. It should be noted that, in this example,while the face F of the user or the like is printed on both the frontand back sides of the cash voucher, the face F only needs to be printedon any one side of the cash voucher. The administrator of the settlementterminal 300, who has received such a cash voucher, can input one partand the rest part of the one-time password described on the front andback sides of the cash voucher, to the settlement terminal 300 by usinga numeric keypad or other input devices, or by imaging them with thecamera. If the face F is different from a person other than the user, aperson who has been legitimately transferred the cash voucher from theuser can use the cash voucher to perform the settlement.

The cash voucher in FIG. 24 has the information for identifying theone-time password printed on the paper, instead of the one-timepassword. As an example of the information for identifying the one-timepassword, the two-dimensional bar code is employed in this embodiment.Also in the case of the cash voucher as illustrated in FIG. 24, one partof the one-time password is printed on the front side of the cashvoucher, and the rest part of the one-time password is printed on theback side of the cash voucher. The two-dimensional bar code printed onthe side as illustrated in FIG. 24(A) corresponds to OTP1 described inFIG. 23(A), and also, the two-dimensional bar code printed on the sideas illustrated in FIG. 24(B) corresponds to OTP2 described in FIG.23(B), and when those two-dimensional bar codes are read by apredetermined two-dimensional bar-code reader, respective valuescorresponding to OTP1 and OTP2 are read out. Moreover, as is the case ofthe cash voucher as illustrated in FIG. 23, the cash voucher asillustrated in FIG. 24 also has the face F of a person, who is scheduledto use the cash voucher, printed on both the front and back sidesthereof. The administrator of the settlement terminal 300, who hasreceived such a cash voucher, can input the one-time password to thesettlement terminal 300, for example, by using the bar-code reader toread the two-dimensional bar codes printed on the front and back sidesof the cash voucher.

It should be noted that, if the multiple one-time passwords aregenerated in the user terminal 100, the above-mentioned cash voucher maybe printed for each one-time password.

In either case, after the user or the administrator of the settlementterminal 300 finishes the input of the user ID, the password, and theamount information, the user or the administrator of the settlementterminal 300 clicks the button saying “Decide,” which is displayed onthe display.

When the user or the like clicks the button saying “Decide,” content ofthe input is sent from the data input/output unit 323 to the maincontrol unit 321. When the main control unit 321 receives the content ofthe input, the main control unit 321 generates the settlementapplication information. The settlement application information is theinformation for requesting the settlement device 200 to perform thefinal determination of the settlement, from the administrator of thesettlement terminal 300. The settlement terminal ID for identifying thesettlement terminal 300 is also included in the settlement applicationinformation. The main control unit 321 collects the settlementapplication information, the user ID, the one-time password, and theamount information, all together, and sends them to the transmission andreception unit of the settlement terminal 300 via the data input/outputunit 323, and sends them from the transmission and reception unit to thesettlement device 200 via the network 400 (S932).

The settlement device 200 receives those pieces of the data comprisingthe one-time password sent from the settlement terminal 300, at itstransmission and reception unit (S927). The settlement applicationinformation, the user ID, the one-time password, and the amountinformation sent from the settlement terminal 300 are sent to the maincontrol unit 222 vie the data input/output unit 221.

The main control unit 222 sends the data of the settlement applicationinformation, the user ID, and the one-time password sent from thesettlement terminal 300, to the final determination unit 225. The finaldetermination unit 225 performs the final determination (S928).

The final determination is performed as follows.

When the final determination unit 225 receives the settlementapplication information, the user ID, and the one-time password from themain control unit 222, the final determination unit 225 reads out aone-time password identical to the one-time password received from themain control unit 222, among them, along with the user ID, the virtualbalance information, the time information, and the additionalinformation, which are made to correspond to that identical one-timepassword, from the virtual balance recording unit 229. For example, ifthe one-time password sent from the user to the settlement device 200via the settlement terminal 300 has been “01563894451” as illustrated inFIG. 18, since the one-time password identical thereto exists on the topof the virtual balance recording unit 229 as illustrated in FIG. 10, thefinal determination unit 225 reads out, in addition to this one-timepassword, the user ID of “d2af1apfa;” the virtual balance informationidentifying the virtual balance of “21000 yen;” the time information“2016/12/24/10/11” indicating that the one-time password has beengenerated at 10:11 on Dec. 24, 2016; and the additional informationidentifying the additional condition of “Only ◯◯ mall,” from the virtualbalance recording unit 229. If the one-time password identical to theone-time password received from the main control unit 222 has not beenrecorded in the virtual balance recording unit 229, the finaldetermination unit 225 determines not to allow the payment. In otherwords, matching of both one-time passwords, that is, the one-timepassword generated in the user terminal 100 and the one-time passwordgenerated in the settlement device 200, becomes one of the conditionsfor the determination that the settlement is possible, in the finaldetermination. This condition is valid because it is possible to assumethat there is no fraud in all processes of the settlement, if bothone-time passwords match each other. For example, it is possible toassume that there is no impersonation by the malicious third party withrespect to a person who has used the user terminal 100 to generate theone-time password, and the administrator of the settlement terminal 300who has sent the one-time password, and moreover, there is no attack bythe malicious third party also during the transmission of the one-timepassword from the settlement terminal 300 to the settlement device 200.

It is assumed that the final determination unit 225 has successfullyread out the one-time password identical to the one-time passwordreceived from the main control unit 222, along with the user ID, thevirtual balance information, and the additional information, which aremade to correspond to that identical one-time password, from the virtualbalance recording unit 229. Then, the final determination unit 225determines whether or not the user ID received from the main controlunit 222 is identical to the user ID made to correspond to the one-timepassword in the virtual balance recording unit 229. If they do not matcheach other, it is because the user who has sent the one-time passwordand the like via the settlement terminal 300 may be the malicious thirdparty.

If both user IDs have matched each other, the final determination unit225 compares the amount identified by the amount information sent fromthe main control unit 222, to the amount identified by the virtualbalance information read out from the virtual balance recording unit229. As a result, the amount identified by the virtual balanceinformation, which is equal to or larger than the amount identified bythe amount information, becomes one of conditions for the finaldetermination unit 225 to allow the payment asked by the user. Thisbecomes the condition because money of the amount identified by thevirtual balance information can also be considered as that has beendeposited at the settlement device 200 or the administrator thereof fromthe user, in a way, and thus, if the payment has been allowed, receptionof the money of the amount by the administrator of the settlementterminal 300 is generally ensured. For example, if the amount identifiedby the amount information sent from the user to the settlement device200 via the settlement terminal 300 is “10000 yen” as illustrated inFIG. 18, and the amount identified by the virtual balance information is“21000 yen” as illustrated in FIG. 10, the above-described condition issatisfied.

Moreover, in the final determination in this embodiment, the finaldetermination unit 225 compares the time identified by the timeinformation, which has been generated by the credit determination unit223 and recorded in the virtual balance recording unit 229, to a timewhen the final determination has been performed, and determines whetheror not a time interval therebetween is within a predetermined timeinterval. The time interval within the predetermined time interval (inthis embodiment, the time interval is one week as described with FIG.18(A).) becomes one of the conditions for the determination that thesettlement is possible, in the final determination in this embodiment,which, however, is not necessarily limited thereto. This condition isvalid because reduction in the time interval can reduce a time in whichthe one-time password generated by the user terminal 100 can be stolenand fraudulently used by the third party, and thereby further increasethe safety of the settlement. It should be noted that, in thisembodiment, the time when the credit determination has been performed inthe credit determination unit 223 is to be used as a starting point formeasuring the above-mentioned time interval, and the time when the finaldetermination is performed in the final determination unit 225 is to beused as an ending point for measuring the above-mentioned time interval.However, specifically, the starting point for measuring theabove-mentioned time interval is not limited to the above-mentionedtiming. The starting point for measuring the above-mentioned timeinterval can be an appropriate timing after the user operates the inputdevice 102 of the user terminal 100 to thereby provide the first inputrequired for the processing for this settlement, and before the finaldetermination unit 225 performs the final determination. In other words,an arbitrary timing after S911 is started, and before the finaldetermination is performed in the final determination unit 225,specifically, an arbitrary time point until a time instant when thetemporary permission information arrives at the user terminal 100 fromthe settlement device 200, can be the starting point for measuring theabove-mentioned time interval. Examples of an employable starting pointinclude, for example, a timing when the upper limit amount informationhas been inputted in the user terminal 100; a timing when the buttonhaving characters saying “Decide” displayed thereon, which is displayedon the display 101 in the user terminal 100, has been clicked; a timingwhen the upper limit amount information and the like transmitted fromthe user terminal 100 have been received by the settlement device 200; atiming when the credit determination has been started in the creditdetermination unit 223; a timing when the transmission of the temporarypermission information from the settlement device 200 to the userterminal has been started; and the like. Note that it is possible to setno valid for the one-time password generated in the user terminal 100 inthis settlement system.

Moreover, if the additional information has been added to the one-timepassword for which the user has asked for the payment with this one-timepassword, the final determination unit 225 also regards the satisfactionof the additional condition indicated by the additional information, asone of the conditions for allowing the payment.

In the above-mentioned example, while the user has intended to use theone-time password of “01563894451” for the payment, the additionalcondition of “Only ◯◯ mall,” that is, the additional condition that thepayment is allowed only when the one-time password and the like havebeen sent from the settlement terminal 300 placed at the store within ◯◯mall, to the settlement device 200, has been added to this one-timepassword, and thus, the final determination unit 225 determines whetheror not this condition has been satisfied. As mentioned above, thesettlement terminal ID, which is an identifier for identifying thesettlement terminal 300 that has sent the settlement applicationinformation to the settlement device 200 with the one-time password andthe like, has been added to the settlement application information. Thefinal determination unit 225 reads out information (at least informationrequired for the determination) on the store having the settlementterminal ID added, from the settlement terminal information recordingunit 226, in order to perform the above-mentioned determination.

For example, it is assumed that the settlement terminal ID of 2 has beenadded to the settlement application information. In this case, as can beseen in FIG. 8, its facility name is “◯◯ mall,” and the store where thesettlement terminal 300 having the settlement terminal ID added isplaced, is positioned in ◯◯ mall. In other words, in this case, theabove-mentioned additional condition is satisfied.

The additional conditions include, for example, as mentioned above, therestriction of the business type of the payment recipient, therestriction of the group of the payment recipient, the restriction ofthe store, and the restriction of the facility of the payment recipient.While the above-mentioned additional information “◯◯ mall” correspondsto the restriction of the facility of the payment recipient, if therestriction of the business type of the payment recipient has been addedto the one-time password as the additional condition, the finaldetermination unit 225 reads out the data of the business type namelinked to the settlement terminal ID added to the settlement applicationinformation, from the settlement terminal information recording unit226, and determines whether or not the additional condition has beensatisfied. Moreover, if the restrictions of the group and the store ofthe payment recipient have been added to the one-time password as theadditional conditions, the final determination unit 225 reads out thedata of the enterprise name linked to the settlement terminal ID addedto the settlement application information, from the settlement terminalinformation recording unit 226, and determines whether or not theadditional conditions have been satisfied.

Moreover, the payment period may also be restricted as the additionalcondition. In that case, the final determination unit 225 determineswhether or not date and time at a time point when the finaldetermination is performed satisfy the condition required in theadditional condition (for example, in the case as illustrated in FIG.17(B), for example, the additional condition is the condition that thepayment with the one-time password is allowed only for one day on Dec.25, 2016.). It should be noted that, if this determination requires dateand time of the generation of the temporary permission information, thefinal determination unit 225 may utilize the above-mentioned timeinformation for this determination.

As mentioned above, the user may input the check in the check box on theleft of the characters saying “Limit the place of the payment recipient”as illustrated in FIG. 15(B). The additional condition in this casebecomes, in this embodiment, the second additional condition from thetop of FIG. 10, that is, “Close to the user terminal,” but is notlimited thereto. In more detail, this additional condition is thecondition that the payment is allowed only when the one-time passwordgenerated in the user terminal 100 has been sent to the settlementdevice 200 from the settlement terminal 300, which exists close to theposition of the user terminal 100 when the user terminal 100 hasgenerated the upper limit amount information and sent the upper limitamount information with other data to the settlement device 200, as willbe described later.

If this additional condition exists, the final determination unit 225reads out the position information from the settlement terminalinformation recording unit 226. In contrast, as mentioned above, to theadditional information for identifying the additional condition of“Close to the user terminal,” which has been recorded in the virtualbalance recording unit 229, the position information indicating wherethe user terminal 100 has existed when the user has sent the upper limitamount information to the settlement device 200 has been added. If theadditional condition of “Close to the user terminal” exists, the finaldetermination unit 225 compares both pieces of the position information,and determines whether or not the user terminal 100 when the upper limitamount information has been inputted, and the settlement terminal 300that has sent the one-time password and the like to the settlementdevice 200 are positioned close to each other, that is, whether or not adistance between both is in a positional relationship equal to or lessthan a predetermined distance. In this case, a fact that the positionsidentified by both pieces of the position information are closer thanthe predetermined distance, for example, 20 m, becomes one of theconditions for the determination that the settlement is possible, in thefinal determination. This condition is valid for the following reason.Simply stated, the position information sent from the user terminal 100indicates where the user terminal 100 is located. Simply stated, theposition information read out from the settlement terminal informationrecording unit 226 indicates where the settlement terminal 300 islocated. Then, a fact that the positions identified by both pieces ofthe position information are close indicates that the user operating theuser terminal 100 and the administrator of the settlement terminal 300are close. In the case where, for example, the user immediately uses thegenerated one-word password, the user and the administrator of thesettlement terminal 300 who receives the payment from the user are closewhen the payment is performed. For example, in the case where the userimmediately uses the one-time password generated by their own userterminal 100 to perform the payment at restaurants, other eating places,shops of brick-and-mortar stores and the like, such a situation usuallyoccurs, or rather, a situation that is not so hardly occurs. Apossibility of achieving prevention of the impersonation of the user orthe administrator of the settlement terminal 300 by the third party isincreased by checking whether or not a situation has occurred where adistance between the user and the settlement terminal 300 is close,through the comparison of the two pieces of the position information asdescribed above. In addition, while the position of the settlementterminal 300 is fixed to some extent, the user moves, and thus it isdifficult for the third party who does not know where the user is toimpersonate the user. Accordingly, it is very meaningful to have aresult of the comparison of the two pieces of the position information,as the condition for allowing the settlement. It should be noted that,while safety of the settlement using this settlement system increaseswith a shorter reference distance (for example, 20 m in theabove-mentioned case) for judging whether or not the positionsidentified by both pieces of the position information are “close,” thisreference distance may be appropriately decided depending on performanceof the GPS mechanism included in the user terminal 100 (precision of theposition of the user terminal 100 identified by the positioninformation) or the like.

In contrast, there is a case where the settlement terminal 300 does notexist in the brick-and-mortar store. For example, in the case of thepayment at the virtual store existing on the Internet, online settlementis performed as is widely known. In that case, it is not meaningful tohave the distance between the user and the settlement terminal 300, asthe condition for allowing the settlement. In this embodiment, if thesettlement terminal 300 does not exist in the brick-and-mortar store, asis the case of the settlement terminal ID of 4 in FIG. 8, the positioninformation on the settlement terminal 300 does not need to be recordedin the settlement terminal information recording unit 226, which,however, is not necessarily limited thereto. If the settlement terminal300 does not exist in the brick-and-mortar store, it is because theadditional condition of “Close to the user terminal” is not selected bythe user.

It should be noted that, in this embodiment, whenever the upper limitamount information and the like are transmitted from the user terminal100 to the settlement device 200, the position information identifyingthe position of the user terminal 100 is also supposed to betransmitted. However, as mentioned above, the position information isrequired only if the additional condition of “Limit the place of thepayment recipient” has been selected by the user. Accordingly, theposition information may be transmitted from the user terminal 100 tothe settlement device 200 only if the position information is required,that is, only if the additional condition of “Limit the place of thepayment recipient” has been selected by the user.

To sum up, in this embodiment, only when the final determination unit225 of the settlement device 200 has determined that the following fiveconditions have all been satisfied, the final determination unit 225finally makes the decision to allow the payment from the user having theuser terminal 100 to the administrator of the settlement terminal 300.

1. The one-time password matching the one-time password sent from theuser terminal 100 to the settlement device 200 via the settlementterminal 300 has been recorded in the virtual balance recording unit229.2. The user ID, which has been sent with the one-time password from theuser terminal 100 to the settlement device 200 via the settlementterminal 300, matches the user ID associated with the one-time password,which has been recorded in the virtual balance recording unit 229 and isidentical to the one-time password sent from the user terminal 100.3. The amount identified by the amount information, which has been sentwith the one-time password from the user terminal 100 via the settlementterminal 300, is equal to or less than the virtual balance associatedwith the one-time password matching the one-time password sent from theuser terminal 100.4. A timing when the final determination is performed is before acertain time point defined in the settlement device 200.5. The payment satisfies the additional condition.

If any of the above-described five conditions is not satisfied, thefinal determination unit 225 in this embodiment finally makes thedecision not to allow the above-described payment. Both these decisionsare referred to as “final determination.”

It should be noted that, in the above-described five conditions to beused in the final determination by the final determination unit 225,only the conditions 1 and 3 are essential. This settlement system may bechanged such that the final determination unit 225 performs the finaldetermination without use of other conditions. Moreover, if theabove-described five conditions are used in the final determination,there is no specific rule regarding which condition the determination isstarted with.

If the final determination unit 225 has performed the finaldetermination, the final determination unit 225 generates the finaldetermination data that is the data indicating the result of the finaldetermination, and sends the final determination data to the maincontrol unit 222. If the payment has been allowed in the finaldetermination, the main control unit 222, which has received the finaldetermination data, performs processing for allowing the payment of theamount of money identified by the amount information that has been sentfrom the settlement terminal 300 with the one-time password, from theuser having the user terminal 100 that has generated the one-timepassword or the like, to the administrator of the settlement terminal300 that has sent the one-time password used to perform the finaldetermination. The result of this processing is recorded, for example,in the recording medium, which has been integrated in the main controlunit 222, or located within or outside the settlement device 200, andwhose illustration is omitted, and the related financial institution orthe like is notified thereof if it is required to realize the processingof the payment. Content to be recorded in the recording medium mayinclude at least information for identifying the user who has performedthe payment, information for identifying a recipient of the payment, andthe one-time password used in the payment. Moreover, as a part of thisprocessing, the main control unit 222 subtracts the paid amount from thevirtual balance recorded in the virtual balance recording unit 229 in astate of being associated with the one-time password used for thepayment. Meanwhile, if the payment has not been allowed in the finaldetermination, the main control unit 222 does not perform theabove-mentioned processing.

The main control unit 222 sends the content of the final determinationdata to the data input/output unit 221 so that the content is sent viathe transmission and reception unit and the network 400, to thesettlement terminal 300 that has transmitted the settlement applicationinformation that becomes the basis of the final determination (S929).

The settlement terminal 300 receives this data (S933). The settlementterminal 300 receives this data at its transmission and reception unit.The data received by the transmission and reception unit is sent fromthe transmission and reception unit to the data input/output unit 323,and is sent from the data input/output unit 323 to the main control unit321.

The main control unit 321 controls the display control unit 322 todisplay the content based on the final determination data on itsdisplay. Under control of the display control unit 322, appropriatedisplay is performed on the display of the settlement terminal 300(S934). If the content of the final determination data allows thepayment, the display would indicate it, and if the content of the finaldetermination data does not allow the payment, the display wouldindicate it.

It should be noted that the settlement device 200 may also transmit thecontent of the final determination data to the user terminal 100, inaddition to the settlement terminal 300. In this case, the content basedon the final determination data, which is similar to that displayed onthe display of the settlement terminal 300, is displayed on the display101 of the user terminal 100.

The above is a flow of the settlement performed in the settlement systemin this embodiment.

Moreover, if there is a remaining amount in the virtual balance for oneone-time password, the user may use the same one-time password for thepayment again. In that case, the settlement terminal 300 used to sendthe one-time password and the like to the settlement device 200 is notnecessarily the same as the settlement terminal 300 used last time. Inother words, the user can perform the payment with the one-time passwordmultiple number of times, possibly to different persons, within a rangeof the upper limit amount identified by the upper limit amountinformation.

In contrast, the expiration time of the one-time password may expirebefore the user uses it, and the virtual balance made to correspond tothe one-time password may not be 0. In such a case, the main controlunit 222 in the settlement device 200 may process money corresponding tothe balance as money that has not been used by the user. For example,the money for the balance may be set back to the user's credit balance,and moreover, even if the one-time password has been issued in the userterminal 100, when the payment with the one-time password has notoccurred, for example, an external financial institution may not benotified of the performance of the payment with the one-time password.

However, the settlement performed as described above may be canceled.The cancellation is executed in a flow as follows.

It is assumed that the user and the administrator of the settlementterminal 300 have thought that they hope to cancel the settlementperformed in the past, in some circumstances. Then, the user operatesthe input device 102 of the user terminal 100 to invoke a settlementcancellation screen on the display 101. An example of the display on thedisplay 101 at the time is illustrated in FIG. 21. It should be notedthat, in this example, the above-described settlement of 25000 yen,which has been performed by the user with the user ID of d2af1apfa, isto be cancelled.

As illustrated in FIG. 21, a list of past settlements that arecancelable is displayed on the display 101. In this embodiment, the pastsettlements that are cancelable are limited, for example, to thosewithin 10 minutes after the settlements have finished in the settlementdevice 200, and thus, there will not be many past settlements displayedhere. In FIG. 21(A), two payments, that is, a payment of 25000 yen thathas been performed at 19:21 on Dec. 25, 2016, and a payment of 2600 yenthat has been performed at 19:18 on the same day, are displayed ascancelable targets on the display 101. The user uses the input device102 to select one of them. FIG. 21(B) illustrates a state where theformer of the two payments as cancellation targets has been selected.When the user clicks a button saying “Decide,” the user terminalcancellation information including information for identifying thepayment of 25000 yen that has been performed at 19:21 on Dec. 25, 2016,as the cancellation target is generated. The user terminal cancellationinformation is generated by the main control unit 121 that has acceptedthe input from the input device 102 via the data input/output unit 123.The user terminal cancellation information is sent from the main controlunit 121 to the transmission and reception unit via the datainput/output unit 123, and sent from the transmission and reception unitto the settlement device 200 via the network 400.

Meanwhile, the administrator of the settlement terminal 300 alsoperforms similar processing to generate the settlement terminalcancellation information. The administrator of the settlement terminal300 operates the input device of the settlement terminal 300 to displaythe screen similar to that as illustrated in FIG. 21, on the display ofthe settlement terminal 300. The list of the past settlements that arecancelable is displayed on the display. In this embodiment, while thepast settlements that are cancelable are limited, for example, to thosewithin 10 minutes after the settlements have finished in the settlementdevice 200, the number of settlements performed with one settlementterminal 300 is generally larger than the number of settlementsperformed with one user terminal 100, and thus, the settlements morethan those illustrated in FIG. 21 will be displayed on the display ofthe settlement terminal 300. The administrator of the settlementterminal 300 operates the input device of the settlement terminal 300 toselect one of them. In order for the administrator of the settlementterminal 300 to avoid a wrong choice, while only the time and date andthe amount of the settlement are displayed as information foridentifying the past settlement in the example as illustrated in FIG.21, in addition, information for identifying the user who has performedthe settlement, for example, the user ID, may also conveniently bedisplayed on the display. With the operation of the input device by theadministrator of the settlement terminal 300, the settlement terminalcancellation information including the information identifying thepayment of 25000 yen that has been performed by the user with the userID of d2af1apfa at 19:21 on Dec. 25, 2016 is generated. The settlementterminal cancellation information is generated by the main control unit321 that has accepted the input from the input device via the datainput/output unit 323. The settlement terminal cancellation informationis sent from the main control unit 321 to the transmission and receptionunit via the data input/output unit 323, and sent from the transmissionand reception unit to the settlement device 200 via the network 400.

The settlement device 200 receives the user terminal cancellationinformation and the settlement terminal cancellation information at itstransmission and reception unit. The user terminal cancellationinformation and the settlement terminal cancellation information aresent to the main control unit 222 via the data input/output unit 221. Ifthe main control unit 222 has received those two pieces of theinformation, the main control unit 222 determines whether or not thepast settlements identified by the user terminal cancellationinformation and the settlement terminal cancellation information areidentical. As a result, if both are identical, the main control unit 222performs processing for canceling this past settlement. If only one ofthe user terminal cancellation information and the settlement terminalcancellation information has been received, or if these two pieces ofthe information have been received, but the past settlements identifiedby the user terminal cancellation information and the settlementterminal cancellation information are not identical, the main controlunit 222 does not perform processing of canceling the past settlements.The main control unit 222 records a result of the cancellation of thesettlement, for example, in the recording medium, which has beenintegrated in the main control unit 222, and whose illustration isomitted, and moreover, notifies the related financial institution or thelike of the result if it is required to realize the processing of thecancellation.

The above-mentioned cancellation processing becomes more practical, forexample, in use as follows.

The one-time password in the invention of the present application, whichis used like the credit card number in the conventional credit card,that is, so-called disposable, and thus a possibility of plagiarismthereof is very low and can hardly be assumed. However, while the usersends the one-time password generated in the user terminal 100, to thesettlement device 200 via the settlement terminal 300, there is a slightpossibility of the one-time password being stolen by the third party andused by the third party.

In the above-mentioned embodiment, when the user intends to perform thepayment, the user ID in addition to the one-time password is to betransmitted from the settlement terminal 300 to the settlement device200. However, if the material for identifying the user, which is sentwith the one-time password from the settlement terminal 300 to thesettlement device 200, is only the user ID, since the user ID istypically not changed and is fixed, when the user ID has also beenstolen in addition to the one-time password, a situation may also occurwhere the impersonation by the third party cannot be prevented. However,instead of sending the user ID with the one-time password, whenbiometric authentication is performed with a signature provided by theuser to the touch panel display included in the settlement terminal 300,or with a fingerprint, a retina texture or the like of the user, alongwith the one-time password, such impersonation becomes almostimpossible. However, since the signature, the fingerprint, the retinatexture and the like, which are used for the biometric authentication,are basically unchanged, a slight possibility of the impersonation bythe third party is still left even if they are used. Moreover, as willbe mentioned later, if the one-time password is sent from the settlementterminal 300 to the settlement device 200, any information foridentifying the user who has generated the one-time password in theuser's own user terminal 100, such as the user ID, may also not beattached. In such a case, with the one-time password, which has beengenerated and the temporary permission information has been generated,in addition to the user who has generated the one-time password with theuser's own user terminal 100, anyone can deliver the one-time passwordto the other party to perform the payment, which will havecharacteristics like cash, check or the like. If the settlement systemhandles such a one-time password, the third party who has stolen theone-time password can replace the user who has generated the one-timepassword with the user's own user terminal 100, and can use the one-timepassword.

The fraudulent use of the one-time password by such a third party can beprevented by the above-mentioned cancellation processing.

As mentioned above, in the settlement system of this embodiment, thefinal determination data is sent from the settlement device 200 to thesettlement terminal 300, and the content indicated by the finaldetermination data is displayed on the display included in thesettlement terminal 300.

Here, it is assumed that the one-time password has been fraudulentlyused by the third party. For example, it is assumed that the stolenone-time password has been transmitted to the settlement device 200 fromthe settlement terminal 300 managed by a person other than the otherparty to whom the user has intended to pass the one-time password, whichhas been generated in the user's own user terminal 100 in order toperform the user's payment. In this case, the payment with the one-timepassword may be approved by the final determination unit 225 of thesettlement device 200. However, as mentioned above, in order for thefinal determination unit 225 to perform positive determination for thepayment with the one-time password sent from the settlement terminal300, all of above-mentioned five requirements need to be satisfied inthis embodiment. Accordingly, even if the one-time password stolen fromthe user and sent to the settlement device 200 has matched the one-timepassword created in the OTP generation unit 227 of the settlement device200 and recorded in the virtual balance recording unit 229, the finaldetermination unit 225 does not allow the settlement unless all otherrequirements are satisfied. However, all other conditions may besatisfied, and moreover, originally, since some of the other conditionsare not necessarily essential in the settlement system in thisembodiment, the other conditions may also not be originally consideredin the final determination unit 225. In such a case, if theabove-mentioned condition of matching of the one-time passwords has beensatisfied and the virtual balance is sufficiently left, the finaldetermination unit 225 of the settlement device 200 approves the paymentwith the one-time password.

In this case, the final determination data will be sent from thesettlement device 200 to the settlement terminal 300. This finaldetermination data is supposed to indicate that the settlement has beenallowed. However, here, a problem is that the administrator of thesettlement terminal 300 who has been enabled to receive the payment isdifferent from the other party to whom the user has originally intendedto perform the payment. In this stage, the final determination data hasnot arrived at the settlement terminal 300 of the administrator who isthe other party to whom the user has originally intended to perform thepayment. Meanwhile, as mentioned above, the final determination data mayalso be sent to the user terminal 100. However, even if the finaldetermination data is sent to the user terminal 100 in this stage, thecontent of the final determination data is that the settlement device200 has allowed the payment from the user to the other party to whom theuser has not originally intended to perform the payment. Also dependingon the degree of the information displayed on the display of the userterminal 100, from the content, the user may not be aware of thefraudulent use of the one-time password generated in the user's own userterminal 100, by the third party.

Meanwhile, it is assumed that, after the third party has already usedthe one-time password generated by the user in the user's own userterminal 100, that is, after the payment to someone with the one-timepassword has been established, the user has passed the one-time passwordto the other party to whom the user has originally intended to performthe payment. In this case, the one-time password is sent from thesettlement terminal 300 of the administrator who is the other party, tothe settlement device 200. However, since the one-time password hasalready been used in the past payment, the final determination unit 225of the settlement device 200 does not allow the payment with theone-time password again. For example, regarding a fact that the one-timepassword has been utilized in the past (for example, within a certaintime range), the final determination unit 225 searches whether or not aone-time password, which is identical to the one-time password that is acurrent target of the final determination, exists in the one-timepasswords recorded in the above-mentioned recording medium, and if theidentical one-time password exists, the final determination unit 225 candetermine that the one-time password has been utilized in the past.However, since the one-time password has already been used for a pastpayment, the final determination unit 225 of the settlement device 200may not allow the payment with the one-time password, depending on anamount of the balance for the one-time password.

Thus, in this case, the final determination data sent from thesettlement device 200 to the settlement terminal 300 may indicate thatthe settlement is not allowed. The administrator of the settlementterminal 300, who has been a person who should originally receive thepayment, tells the user who has passed the one-time password that thesettlement has not been allowed in the settlement device 200.

The user, who has heard it, recognizes the fraudulent use of theone-time password in the past, and may execute the above-mentionedcancellation processing. Thereby, the fraudulent use of the one-timepassword can be prevented. It should be noted that the settlement device200 can grasp the second attempt to use the one-time password, asmentioned above. The settlement device 200 may notify the user terminal100 thereof, or of existence of a person who intends the fraudulent useof the one-time password. In order to enable the user to more easilyrecognize an occurrence of the fraudulent use, information on the numberof the payment performed with the one-time password, or on the balanceafter the payments with the one-time password, should be previouslyadded to data to be sent to the user terminal 100 or the settlementterminal 300 when the settlement has been allowed or has not beenallowed, and such information should be displayed on the display 101 ofthe user terminal 100 or the display of the settlement terminal 300.

[Variation]

The settlement system of the variation will be described. This variationmay also be applied to the second embodiment.

The settlement system of the variation is basically not different fromthe settlement system according to the first embodiment. A difference isa part of the data recorded in the credit information recording unit 224of the settlement device 200. Also, consequently, the creditdetermination processing executed by the credit determination unit 223,and the processing in the main control unit 222 in the case where thepayment has been realized with the one-time password from the user ofthe user terminal 100 to the administrator of the settlement terminal300, are different in the case of the variation and the case of thefirst embodiment.

In the settlement system of the first embodiment, each user's creditbalance has been recorded in the credit information recording unit 224of the settlement device. This credit balance is not unrelated to eachuser's cash as mentioned above, but is decided depending on each user'scredit. In the settlement system of the variation, a deposit balance hasbeen recorded instead of the credit balance (FIG. 22).

The deposit balance is a balance of cash owned by the user. The depositbalance is, for example, the balance of the user's bank account itself,which is owned by the user at a certain bank, for example. In this case,for the above-mentioned certain bank, the administrator of thesettlement device 200 itself may or may not be the bank. Alternatively,the deposit balance may also be the balance of money deposited at theadministrator of the settlement device 200 from the user.

In the first embodiment, if the credit determination unit 223 performsthe credit determination, the amount identified by the upper limitamount information has been compared to the amount of the creditbalance, and the condition for generating the temporary permissioninformation has been that the latter is equal to or larger than theformer. Instead, if the credit determination unit 223 in the variationperforms the credit determination, the amount identified by the upperlimit amount information is compared to an amount of the depositbalance, and the condition for generating the temporary permissioninformation is that the latter is equal to or larger than the former. Itshould be noted that, if the credit determination unit 223 has generatedthe temporary permission information, and the OTP generation unit 227has generated the one-time password, the main control unit 222, whichhas accepted the one-time password, records the one-time password, andthe upper limit amount and the like, which are made to correspond to theone-time password, in the virtual balance recording unit 229. Also inthe case of this variation, this point is not different from the case ofthe first embodiment.

Then, it is assumed that the one-time password has been sent from thesettlement terminal 300 to the settlement device 200, and after theprocessing similar to the case of the first embodiment, the payment withthe one-time password, from the user of the user terminal 100 to theadministrator of the settlement terminal 300, has been allowed in thesettlement device 200. Then, in this variation, the amount for which thepayment has been allowed is subtracted from the deposit balanceassociated with the one-time password used for the payment. Thissubtracted amount may be deposited to the administrator of thesettlement device 200 once, may be remitted to the recipient of thepayment, or may be remitted to a person who performs the payment to therecipient of the payment. When such processing is performed, theone-time password owned by the user is put into a state similar to sucha state where security guarantee with the money owned by the user as thedeposit balance is provided. In other words, the one-time password canalso be said to be the money that is owned by the user as the depositbalance and can be brought out as data or information.

This function of the security guarantee becomes more robust if, afterthe one-time passwords have been generated in the settlement device 200and the user terminal 100, the main control unit 222 in the settlementdevice 200 defines that the amount corresponding to the upper limitamount information made to correspond to the generated one-time passwordis subtracted from the user's deposit balance and deposited to theadministrator of the settlement device 200 (or, for example, a publicthird party).

Second Embodiment

The settlement system of the second embodiment will be described. Thesettlement system of the second embodiment is basically configuredsimilarly to the settlement system of the first embodiment, and the flowof the settlement performed by this settlement system is also similar tothe case of the settlement system of the first embodiment.

Difference between the settlement systems of the first embodiment andthe second embodiment is a way of performing the final determination, inthe final determination unit 225 of the settlement device 200, andmoreover, the data sent from the settlement terminal 300 to thesettlement device 200 is also changed accordingly. Moreover, the datarecorded in the virtual balance recording unit 229 is also changed.

In the first embodiment, as mentioned above, it has been supposed that,if the settlement application information and the one-time password aretransmitted from the settlement terminal 300 to the settlement device200, the user ID is also transmitted with them.

The one-time password, which has been generated in the user terminal 100and transmitted from the settlement terminal 300, is to be compared tothe one-time password, which has been generated in the OTP generationunit 227 of the settlement device 200, in the final determination unit225, and thus needs to be sent with the settlement applicationinformation from the settlement terminal 300 to the settlement device200. Meanwhile, in the above-mentioned embodiment, the user ID has beenused to check whether or not the payment with the user ID is performedby the user himself of the user terminal 100 that has generated theone-time password.

However, the check may be more conveniently omitted, that is, it may bemore convenient if the one-time password can also be used by a personother than the legitimate user of the user terminal 100 that hasgenerated the one-time password.

This second embodiment relates to such a settlement system.

In the settlement system of the second embodiment, as mentioned above,when the settlement application information is transmitted from thesettlement terminal 300 to the settlement device 200, while the one-timepassword generated in the user terminal 100 is added to the settlementapplication information, the information for identifying the user whointends to perform the settlement, such as the user ID, is not added.

Moreover, the user ID, which has been recorded so as to be associatedwith the one-time password in the first embodiment, is not recorded inthe virtual balance recording unit 229, but may also be recorded.

It is assumed that one user or a person other than the user hastransmitted the one-time password not necessarily generated in the userterminal 100 owned by the user, with the settlement applicationinformation to the settlement device 200 through the settlement terminal300. In other words, it is assumed that the one-time password generatedin the user terminal 100 has been sent to the settlement device 200 viathe settlement terminal 300 by the user of the user terminal 100, or bya person who has been transferred the one-time password from the userdirectly or via anyone else.

The settlement application information and the one-time password arereceived at the transmission and reception unit of the settlement device200, and sent to the main control unit 222 via the data input/outputunit 221. The main control unit 222 sends the settlement applicationinformation and the one-time password which have been received, to thefinal determination unit 225.

The final determination unit 225 then determines whether or not theone-time password matching the one-time password received from the maincontrol unit 222 exists in many one-time passwords for various users,which have been generated in the OTP generation unit 227 and recorded inthe virtual balance recording unit 229. If such a one-time passwordexists, the final determination unit 225 reads out the one-time passwordmatching the one-time password received from the main control unit 222and sent from the user via the settlement terminal 300; and various data(however, the user ID does not exist.) linked to the matching one-timepassword and recorded in the virtual balance recording unit 229.Subsequent processing in this second embodiment may be similar to thecase of the above-mentioned embodiment, except for omission of theabove-mentioned condition 2 for determining the matching of the userIDs.

While the final determination unit 225 will compare the one-timepassword generated in the user terminal 100 to many one-time passwordsgenerated by the OTP generation unit 227 and recorded in the virtualbalance recording unit 229, the number of the one-time passwordsgenerated is large but not huge if the one-time password generated inthe user terminal 100 has the expiration time. Moreover, there is nopossibility of generation of identical one-time passwords for multipleusers created in the OTP generation unit 227 during that time.Accordingly, in this case, it can be said that the above-mentionedcondition 4 is also preferably used in the final determination unit 225.

Accordingly, the final determination unit 225 can also correctlygenerate the final determination data similarly to the case of the firstembodiment, according to the method of the second embodiment.

1. A settlement system configured to include: a user terminal used by auser, comprising user terminal input means that accepts input ofinformation, user terminal transmission and reception means thatperforms transmission and reception of data via a predetermined network,and user terminal information processing means that performs informationprocessing; a settlement device that performs settlement of the user'spayment, comprising settlement device transmission and reception meansthat performs transmission and reception of the data via the network,settlement device information processing means that performs informationprocessing, and a recording medium that records at least virtual balanceinformation for each user so as to be associated with each user; and asettlement terminal managed by a recipient of the payment from the user,comprising settlement terminal input means that accepts the input of theinformation, and settlement terminal transmission and reception meansthat performs transmission and reception of the data via the network,wherein each of the user terminal, the settlement device, and thesettlement terminal is capable of connecting to the network, wherein theuser terminal is capable of inputting upper limit amount informationthat is information identifying an amount of an upper limit of thesettlement, and amount information that is information identifying anamount to be settled, with the user terminal input means, and transmitsthe upper limit amount information and user information that isinformation identifying the user who performs the payment of the amountidentified by the upper limit amount information, to the settlementdevice via the network with the user terminal transmission and receptionmeans; and moreover, the user terminal information processing meanscomprises a user terminal OTP generation unit that generates a one-timepassword, wherein the settlement device receives the upper limit amountinformation and the user information from the user terminal with thesettlement device transmission and reception means; the settlementdevice information processing means comprises a credit determinationunit that, if the settlement device transmission and reception means hasreceived the upper limit amount information and the user information,executes credit determination that is determination of whether or notthe settlement of the payment of the amount identified by the upperlimit amount information sent from the user terminal is possible, and ifit is determined in the credit determination that the settlement ispossible, generates temporary permission information that is informationindicating the determination; the settlement device informationprocessing means also comprises a final determination unit that performsfinal determination of the settlement, and a settlement device OTPgeneration unit that generates a one-time password identical to theone-time password which is generated in the user terminal if thetemporary permission information has been generated; the settlementdevice transmission and reception means transmits the temporarypermission information generated by the credit determination unit to theuser terminal via the network; and moreover, in the recording medium,the one-time password and the upper limit amount information arerecorded so as to be associated with each other such that the upperlimit amount information becomes the virtual balance information, theupper limit amount information having been used for generating thetemporary permission information that has caused the generation of theone-time password in the settlement device OTP generation unit, andwherein when the temporary permission information is accepted from thesettlement device by the user terminal at the user terminal transmissionand reception means, the user terminal OTP generation unit generates theone-time password; and if the one-time password generated in the userterminal and the amount information have been inputted from thesettlement terminal input means of the settlement terminal, and thesettlement terminal has sent the one-time password and the amountinformation from the settlement terminal transmission and receptionmeans to the settlement device via the network, the virtual balanceinformation associated with a one-time password identical to theone-time password received from the settlement terminal by thesettlement device is read out from the recording medium, and also on acondition that the amount identified by the amount information receivedfrom the settlement terminal is equal to or less than an amountidentified by the virtual balance information, the final determinationunit of the settlement device permits the payment from the user of theuser terminal to an administrator of the settlement terminal with theone-time password, and also subtracts the amount used for the payment,from the virtual balance information recorded so as to be associatedwith the one-time password used for the payment in the recording medium.2. A user terminal for constituting a settlement system which has theuser terminal, a settlement device, and a settlement terminal configuredto include: the user terminal used by a user, comprising user terminalinput means that accepts input of information, user terminaltransmission and reception means that performs transmission andreception of data via a predetermined network, and user terminalinformation processing means that performs information processing; thesettlement device that performs settlement of the user's payment,comprising settlement device transmission and reception means thatperforms transmission and reception of the data via the network,settlement device information processing means that performs informationprocessing, and a recording medium that records at least virtual balanceinformation for each user so as to be associated with each user; and thesettlement terminal managed by a recipient of the payment from the user,comprising settlement terminal input means that accepts the input of theinformation, and settlement terminal transmission and reception meansthat performs transmission and reception of the data via the network,wherein each of the user terminal, the settlement device, and thesettlement terminal is capable of connecting to the network, whereinupper limit amount information that is information identifying an amountof an upper limit of the settlement, and amount information that isinformation identifying an amount to be settled are capable of beinginputted with the user terminal input means; the upper limit amountinformation and user information that is information identifying theuser who performs the payment of the amount identified by the upperlimit amount information are transmitted to the settlement device viathe network with the user terminal transmission and reception means; andmoreover, the user terminal information processing means comprises auser terminal OTP generation unit that generates a one-time password,wherein the settlement device receives the upper limit amountinformation and the user information from the user terminal with thesettlement device transmission and reception means; the settlementdevice information processing means comprises a credit determinationunit that, if the settlement device transmission and reception means hasreceived the upper limit amount information and the user information,executes credit determination that is determination of whether or notthe settlement of the payment of the amount identified by the upperlimit amount information for the user identified by the user informationis possible, and if it is determined in the credit determination thatthe settlement is possible, generates temporary permission informationthat is information indicating the determination; the settlement deviceinformation processing means also comprises a final determination unitthat performs final determination of the settlement, and a settlementdevice OTP generation unit that generates a one-time password identicalto the one-time password which is generated in the user terminal if thetemporary permission information has been generated; the settlementdevice transmission and reception means transmits the temporarypermission information generated by the credit determination unit to theuser terminal via the network; and moreover, in the recording medium,the one-time password and the upper limit amount information arerecorded so as to be associated with each other such that the upperlimit amount information becomes the virtual balance information, theupper limit amount information having been used for generating thetemporary permission information that has caused the generation of theone-time password in the settlement device OTP generation unit, andwherein when the temporary permission information is accepted from thesettlement device by the user terminal at the user terminal transmissionand reception means, the user terminal OTP generation unit generates theone-time password; and thereby, if the one-time password generated inthe user terminal and the amount information have been inputted from thesettlement terminal input means of the settlement terminal, and thesettlement terminal has sent the one-time password and the amountinformation from the settlement terminal transmission and receptionmeans to the settlement device via the network, the virtual balanceinformation associated with a one-time password identical to theone-time password received from the settlement terminal by thesettlement device is read out from the recording medium, and also on acondition that the amount identified by the amount information receivedfrom the settlement terminal is equal to or less than an amountidentified by the virtual balance information, the final determinationunit of the settlement device permits the payment from the user of theuser terminal to an administrator of the settlement terminal with theone-time password, and also subtracts the amount used for the payment,from the virtual balance information recorded so as to be associatedwith the one-time password used for the payment in the recording medium.3. The user terminal according to claim 2, wherein the user informationincludes both a user ID inputted by the user with the user terminalinput means, and unique terminal information allocated to each userterminal that is the user terminal.
 4. The user terminal according toclaim 2, wherein the user terminal input means is capable of, with anoperation thereof, inputting an additional condition that is a conditionadded in order for the final determination unit of the settlement deviceto permit the payment from the user of the user terminal to theadministrator of the settlement terminal, and the user terminaltransmission and reception means sends the additional condition to thesettlement device via the network, and when the settlement devicetransmission and reception means accepts the additional condition, thefinal determination unit adds a condition for permitting the paymentfrom the user of the user terminal to the administrator of thesettlement terminal, depending on the additional condition.
 5. The userterminal according to claim 4, wherein the additional condition is arestriction of a period in which the payment is permitted.
 6. The userterminal according to claim 4, wherein the additional condition is arestriction of a position of the settlement terminal that receives thepayment.
 7. The user terminal according to claim 4, wherein theadditional condition is a restriction of the settlement terminal thatreceives the payment.
 8. The user terminal according to claim 6, whereinthe user terminal comprises position information generation means thatgenerates position information that is information for identifying aposition where the user terminal exists, and the user terminaltransmission and reception means transmits the position information tothe settlement device, and only if a position of the settlement terminalthat has sent the one-time password from the user terminal with thesettlement terminal transmission and reception means thereof is within apredetermined distance from the position identified by the positioninformation generated in the position information generation means ofthe user terminal, the final determination unit of the settlement devicepermits the payment from the user of the user terminal to theadministrator of the settlement terminal with the one-time password. 9.The user terminal according to claim 8, wherein the user terminaltransmission and reception means transmits the position informationalong with the upper limit amount information and the user informationto the settlement device.
 10. The user terminal according to claim 2,wherein the user terminal input means is capable of inputting an upperlimit amount identified by the upper limit amount information as a sumof split amounts that are two or more amounts; and if the user terminalOTP generation unit generates the one-time password, the user terminalOTP generation unit generates as many one-time passwords as a number ofpieces of split amount information that is information identifying thesplit amounts, corresponding to the respective pieces of the splitamount information, if the settlement device OTP generation unit in thesettlement device generates the one-time password identical to theone-time password which is generated in the user terminal, thesettlement device OTP generation unit generates as many one-timepasswords identical to those generated in the user terminal, as thenumber of pieces of the split amount information, corresponding to therespective pieces of the split amount information; and in the recordingmedium, the one-time passwords and the split amount information made tocorrespond to the one-time passwords are recorded so as to be associatedwith each other such that each piece of the upper limit amountinformation becomes the virtual balance information, and if the one-timepassword made to correspond to one piece of the split amount informationgenerated in the user terminal and the amount information have beeninputted from the settlement terminal input means of the settlementterminal, and the settlement terminal has sent the one-time password andthe amount information from the settlement terminal transmission andreception means to the settlement device via the network, the virtualbalance information associated with the one-time password identical tothe one-time password received from the settlement terminal by thesettlement device is read out from the recording medium, and also on thecondition that the amount identified by the amount information receivedfrom the settlement terminal is equal to or less than the amountidentified by the virtual balance information, the final determinationunit of the settlement device permits the payment from the user of theuser terminal to the administrator of the settlement terminal with theone-time password, and also subtracts the amount used for the payment,from the virtual balance information recorded so as to be associatedwith the one-time password used for the payment in the recording medium.11. The user terminal according to claim 10, wherein the split amountinformation is selected from predefined split amount information with anoperation of the user terminal input means.
 12. The user terminalaccording to claim 2, wherein the user terminal input means is capableof inputting user terminal cancellation information for identifying andcanceling one of settlements performed in the past with the userterminal, after the final determination unit of the settlement devicehas permitted the settlement, and moreover, the user terminaltransmission and reception means sends the user terminal cancellationinformation to the settlement device via the network, and the settlementdevice information processing means comprises cancellation means that,when the user terminal cancellation information has been accepted,cancels the settlement identified by the user terminal cancellationinformation.
 13. A method executed by user terminal informationprocessing means included in a user terminal for constituting asettlement system which has the user terminal, a settlement device, anda settlement terminal configured to include: the user terminal used by auser, comprising user terminal input means that accepts input ofinformation, user terminal transmission and reception means thatperforms transmission and reception of data via a predetermined network,and the user terminal information processing means that performsinformation processing; the settlement device that performs settlementof the user's payment, comprising settlement device transmission andreception means that performs transmission and reception of the data viathe network, settlement device information processing means thatperforms information processing, and a recording medium that records atleast virtual balance information for each user so as to be associatedwith each user; and the settlement terminal managed by a recipient ofthe payment from the user, comprising settlement terminal input meansthat accepts the input of the information, and settlement terminaltransmission and reception means that performs transmission andreception of the data via the network, wherein each of the userterminal, the settlement device, and the settlement terminal is capableof connecting to the network, wherein the method executed by the userterminal information processing means includes: a process of acceptinginput of upper limit amount information that is information identifyingan amount of an upper limit of the settlement, with the user terminalinput means; a process of transmitting the upper limit amountinformation and user information that is information identifying theuser who performs the payment of the amount identified by the upperlimit amount information, to the settlement device via the network withthe user terminal transmission and reception means; a process of, if, inthe settlement device that has received the upper limit amountinformation and the user information from the user terminal with thesettlement device transmission and reception means, the settlementdevice information processing means has executed credit determinationthat is determination of whether or not the settlement of the payment ofthe amount identified by the upper limit amount information sent fromthe user terminal is possible, and in a case where it has beendetermined in the credit determination that the settlement is possible,the settlement device information processing means has generatedtemporary permission information that is information indicating thedetermination, and has also generated a one-time password in a casewhere the temporary permission information has been generated, andmoreover, in the recording medium, the one-time password and the upperlimit amount information are recorded so as to be associated with eachother such that the upper limit amount information becomes the virtualbalance information, the upper limit amount information having been usedfor generating the temporary permission information that has caused thegeneration of the one-time password, and the settlement devicetransmission and reception means has transmitted the temporarypermission information to the user terminal via the network, acceptingthe temporary permission information by the user terminal transmissionand reception means; and a process of, if the temporary permissioninformation has been accepted from the settlement device by the userterminal, generating a one-time password identical to the one-timepassword which is generated in the settlement device, and whereinthereby, if the one-time password generated in the user terminal andamount information that is information identifying an amount to besettled have been inputted from the settlement terminal input means ofthe settlement terminal, and the settlement terminal has sent theone-time password and the amount information from the settlementterminal transmission and reception means to the settlement device viathe network, the virtual balance information associated with a one-timepassword identical to the one-time password received from the settlementterminal by the settlement device is read out from the recording medium,and moreover, on a condition that the amount identified by the amountinformation received from the settlement terminal is equal to or lessthan an amount identified by the virtual balance information, thesettlement device information processing means of the settlement devicepermits the payment from the user of the user terminal to anadministrator of the settlement terminal with the one-time password, andalso subtracts the amount used for the payment, from the virtual balanceinformation recorded so as to be associated with the one-time passwordused for the payment in the recording medium.
 14. A computer program forcausing a computer to function as a user terminal for constituting asettlement system which has the user terminal, a settlement device, anda settlement terminal configured to include: the user terminal used by auser, comprising user terminal input means that accepts input ofinformation, user terminal transmission and reception means thatperforms transmission and reception of data via a predetermined network,and user terminal information processing means that performs informationprocessing; the settlement device that performs settlement of the user'spayment, comprising settlement device transmission and reception meansthat performs transmission and reception of the data via the network,settlement device information processing means that performs informationprocessing, and a recording medium that records at least virtual balanceinformation for each user so as to be associated with each user; and thesettlement terminal managed by a recipient of the payment from the user,comprising settlement terminal input means that accepts the input of theinformation, and settlement terminal transmission and reception meansthat performs transmission and reception of the data via the network,wherein each of the user terminal, the settlement device, and thesettlement terminal is capable of connecting to the network, wherein thecomputer is caused to execute: a process of accepting input of upperlimit amount information that is information identifying an amount of anupper limit of the settlement, with the user terminal input means; aprocess of transmitting the upper limit amount information and userinformation that is information identifying the user who performs thepayment of the amount identified by the upper limit amount information,to the settlement device via the network with the user terminaltransmission and reception means; a process of, if, in the settlementdevice that has received the upper limit amount information and the userinformation from the user terminal with the settlement devicetransmission and reception means, the settlement device informationprocessing means has executed credit determination that is determinationof whether or not the settlement of the payment of the amount identifiedby the upper limit amount information sent from the user terminal ispossible, and in a case where it has been determined in the creditdetermination that the settlement is possible, the settlement deviceinformation processing means has generated temporary permissioninformation that is information indicating the determination, and hasalso generated a one-time password in a case where the temporarypermission information has been generated, and moreover, in therecording medium, the one-time password and the upper limit amountinformation are recorded so as to be associated with each other suchthat the upper limit amount information becomes the virtual balanceinformation, the upper limit amount information having been used forgenerating the temporary permission information that has caused thegeneration of the one-time password, and the settlement devicetransmission and reception means has transmitted the temporarypermission information to the user terminal via the network, acceptingthe temporary permission information by the user terminal transmissionand reception means; and a process of, if the temporary permissioninformation has been accepted from the settlement device by the userterminal, generating a one-time password identical to the one-timepassword which is generated in the settlement device, and whereinthereby, if the one-time password generated in the user terminal andamount information that is information identifying an amount to besettled have been inputted from the settlement terminal input means ofthe settlement terminal, and the settlement terminal has sent theone-time password and the amount information from the settlementterminal transmission and reception means to the settlement device viathe network, the virtual balance information associated with a one-timepassword identical to the one-time password received from the settlementterminal by the settlement device is read out from the recording medium,and moreover, on a condition that the amount identified by the amountinformation received from the settlement terminal is equal to or lessthan an amount identified by the virtual balance information, thesettlement device information processing means of the settlement devicepermits the payment from the user of the user terminal to anadministrator of the settlement terminal with the one-time password, andalso subtracts the amount used for the payment, from the virtual balanceinformation recorded so as to be associated with the one-time passwordused for the payment in the recording medium.
 15. A settlement devicefor constituting a settlement system which has a user terminal, thesettlement device, and a settlement terminal configured to include: theuser terminal used by a user, comprising user terminal input means thataccepts input of information, user terminal transmission and receptionmeans that performs transmission and reception of data via apredetermined network, and user terminal information processing meansthat performs information processing; the settlement device thatperforms settlement of the user's payment, comprising settlement devicetransmission and reception means that performs transmission andreception of the data via the network, settlement device informationprocessing means that performs information processing, and a recordingmedium that records at least virtual balance information for each userso as to be associated with each user; and the settlement terminalmanaged by a recipient of the payment from the user, comprisingsettlement terminal input means that accepts the input of theinformation, and settlement terminal transmission and reception meansthat performs transmission and reception of the data via the network,wherein each of the user terminal, the settlement device, and thesettlement terminal is capable of connecting to the network, wherein theuser terminal is capable of inputting upper limit amount informationthat is information identifying an amount of an upper limit of thesettlement, and amount information that is information identifying anamount to be settled, with the user terminal input means, and transmitsthe upper limit amount information and user information that isinformation identifying the user who performs the payment of the amountidentified by the upper limit amount information, to the settlementdevice via the network with the user terminal transmission and receptionmeans; and moreover, the user terminal information processing meanscomprises a user terminal OTP generation unit that generates a one-timepassword, wherein the upper limit amount information and the userinformation are received from the user terminal with the settlementdevice transmission and reception means; the settlement deviceinformation processing means comprises a credit determination unit that,if the settlement device transmission and reception means has receivedthe upper limit amount information and the user information, executescredit determination that is determination of whether or not thesettlement of the payment of the amount identified by the upper limitamount information sent from the user terminal is possible, and if it isdetermined in the credit determination that the settlement is possible,generates temporary permission information that is informationindicating the determination; the settlement device informationprocessing means also comprises a final determination unit that performsfinal determination of the settlement, and a settlement device OTPgeneration unit that generates a one-time password identical to theone-time password which is generated in the user terminal if thetemporary permission information has been generated; the settlementdevice transmission and reception means transmits the temporarypermission information generated by the credit determination unit to theuser terminal via the network; and moreover, in the recording medium,the one-time password and the upper limit amount information arerecorded so as to be associated with each other such that the upperlimit amount information becomes the virtual balance information, theupper limit amount information having been used for generating thetemporary permission information that has caused the generation of theone-time password in the settlement device OTP generation unit, andwherein when the temporary permission information is accepted from thesettlement device by the user terminal at the user terminal transmissionand reception means, the user terminal OTP generation unit generates theone-time password; and if the one-time password generated in the userterminal and the amount information have been inputted from thesettlement terminal input means of the settlement terminal, and thesettlement terminal has sent the one-time password and the amountinformation from the settlement terminal transmission and receptionmeans to the settlement device via the network, the virtual balanceinformation associated with a one-time password identical to theone-time password received from the settlement terminal by thesettlement device is read out from the recording medium, and also on acondition that the amount identified by the amount information receivedfrom the settlement terminal is equal to or less than an amountidentified by the virtual balance information, the final determinationunit of the settlement device permits the settlement of the payment fromthe user of the user terminal to an administrator of the settlementterminal with the one-time password, and also subtracts the amount usedfor the payment, from the virtual balance information recorded so as tobe associated with the one-time password used for the payment in therecording medium.
 16. The settlement device according to claim 15,wherein the final determination unit permits the settlement only if atime from a predetermined time point after the user starts processingfor inputting the upper limit amount information with the user terminalinput means and before the final determination unit performs the finaldetermination of the settlement, until the final determination unitperforms the final determination of the settlement, is shorter than apredefined time interval.
 17. The settlement device according to claim15, wherein the user terminal input means is capable of inputting userterminal cancellation information for identifying and canceling one ofsettlements performed in the past with the user terminal, after thefinal determination unit of the settlement device has permitted thesettlement, and moreover, the user terminal transmission and receptionmeans sends the user terminal cancellation information to the settlementdevice via the network, and the settlement device information processingmeans comprises cancellation means that, when the user terminalcancellation information has been accepted, cancels the settlementidentified by the user terminal cancellation information.
 18. Thesettlement device according to claim 15, wherein the settlement terminalinput means is capable of inputting settlement terminal cancellationinformation for identifying and canceling one of settlements performedin the past with the settlement terminal, after the final determinationunit of the settlement device has permitted the settlement, andmoreover, the settlement terminal transmission and reception means sendsthe settlement terminal cancellation information to the settlementdevice via the network, and the settlement device information processingmeans comprises cancellation means that, when the settlement terminalcancellation information has been accepted, cancels the settlementidentified by the settlement terminal cancellation information.
 19. Thesettlement device according to claim 17, wherein the settlement terminalinput means is capable of inputting settlement terminal cancellationinformation for identifying and canceling one of settlements performedin the past with the settlement terminal, after the final determinationunit of the settlement device has permitted the settlement, andmoreover, the settlement terminal transmission and reception means sendsthe settlement terminal cancellation information to the settlementdevice via the network, and the cancellation means cancels thesettlement when the user terminal cancellation information and thesettlement terminal cancellation information have been accepted and thesettlements identified by the user terminal cancellation information andthe settlement terminal cancellation information have matched eachother.
 20. The settlement device according to claim 17, wherein when thefinal determination unit has not permitted the settlement, the finaldetermination unit generates non-permission information that identifieswhich settlement has not been permitted and indicates that thesettlement has not been permitted, and sends the non-permissioninformation to the settlement device transmission and reception means;and the settlement device transmission and reception means transmits thenon-permission information to the settlement terminal via the network,and the settlement terminal that has accepted the non-permissioninformation notifies an administrator of the settlement terminal ofwhich settlement has not been permitted.
 21. The settlement deviceaccording to claim 15, wherein each user's deposit balance is recordedin the recording medium, and if the temporary permission information hasbeen generated, the upper limit amount information that has caused thegeneration of the temporary permission information is subtracted fromthe deposit balance of the user who has sent the upper limit amountinformation that has caused the generation of the temporary permissioninformation.
 22. The settlement device according to claim 15, whereineach user's deposit balance is recorded in the recording medium, and thecredit determination unit performs the credit determination bydetermining whether or not the amount identified by the upper limitamount information is equal to or less than the user's deposit balance,and generates the temporary permission information on a condition thatthe amount identified by the upper limit amount information is equal toor less than the user's deposit balance.
 23. A method executed bysettlement device information processing means included in a settlementdevice which has a user terminal, the settlement device, and asettlement terminal for constituting a settlement system configured toinclude: the user terminal used by a user, comprising user terminalinput means that accepts input of information, user terminaltransmission and reception means that performs transmission andreception of data via a predetermined network, and user terminalinformation processing means that performs information processing; thesettlement device that performs settlement of the user's payment,comprising settlement device transmission and reception means thatperforms transmission and reception of the data via the network, thesettlement device information processing means that performs informationprocessing, and a recording medium that records at least virtual balanceinformation for each user so as to be associated with each user; and thesettlement terminal managed by a recipient of the payment from the user,comprising settlement terminal input means that accepts the input of theinformation, and settlement terminal transmission and reception meansthat performs transmission and reception of the data via the network,wherein each of the user terminal, the settlement device, and thesettlement terminal is capable of connecting to the network, and whereinthe method executed by the settlement device information processingmeans includes: a process of, after upper limit amount information thatis information identifying an amount of an upper limit of the settlementhas been inputted with the user terminal input means in the userterminal, when the upper limit amount information and user informationthat is information identifying the user who performs the payment of theamount identified by the upper limit amount information have beentransmitted to the settlement device via the network with the userterminal transmission and reception means, receiving the upper limitamount information and the user information from the user terminal withthe settlement device transmission and reception means; a process of, ifthe settlement device transmission and reception means has received theupper limit amount information and the user information, executingcredit determination that is determination of whether or not thesettlement of the payment of the amount identified by the upper limitamount information for the user identified by the user information ispossible, and if it is determined in the credit determination that thesettlement is possible, generating temporary permission information thatis information indicating the determination; a process of generating aone-time password if the temporary permission information has beengenerated; a process of recording, in the recording medium, the one-timepassword and upper limit amount information so as to be associated witheach other such that the upper limit amount information becomes thevirtual balance information, the upper limit amount information havingbeen used for generating the temporary permission information that hascaused the generation of the one-time password; a process oftransmitting the generated temporary permission information to the userterminal via the network, with the settlement device transmission andreception means; a process of, if, in the user terminal that hasaccepted the temporary permission information at the user terminaltransmission and reception means from the settlement device, a one-timepassword that has been generated by the user terminal informationprocessing means and is identical to that generated in the settlementdevice, and the amount information have been inputted from thesettlement terminal input means of the settlement terminal, and thesettlement terminal has sent the one-time password and the amountinformation from the settlement terminal transmission and receptionmeans to the settlement device via the network, receiving the one-timepassword and the amount information at the settlement devicetransmission and reception means; and a process of reading out thevirtual balance information associated with a one-time passwordidentical to the one-time password received from the settlement terminalby the settlement device, from the recording medium, and on a conditionthat the amount identified by the amount information received from thesettlement terminal is equal to or less than an amount identified by thevirtual balance information, settling the payment from the user of theuser terminal to an administrator of the settlement terminal with theone-time password, and also subtracting the amount used for the payment,from the virtual balance information recorded so as to be associatedwith the one-time password used for the payment in the recording medium.24. A computer program for causing a computer to function as asettlement device for constituting a settlement system configured toinclude: a user terminal used by a user, comprising user terminal inputmeans that accepts input of information, user terminal transmission andreception means that performs transmission and reception of data via apredetermined network, and user terminal information processing meansthat performs information processing; the settlement device thatperforms settlement of the user's payment, comprising settlement devicetransmission and reception means that performs transmission andreception of the data via the network, settlement device informationprocessing means that performs information processing, and a recordingmedium that records at least virtual balance information for each userso as to be associated with each user; and a settlement terminal managedby a recipient of the payment from the user, comprising settlementterminal input means that accepts the input of the information, andsettlement terminal transmission and reception means that performstransmission and reception of the data via the network, wherein each ofthe user terminal, the settlement device, and the settlement terminal iscapable of connecting to the network, and wherein the computer is causedto execute: a process of, after upper limit amount information that isinformation identifying an amount of an upper limit of the settlementhas been inputted with the user terminal input means in the userterminal, when the upper limit amount information and user informationthat is information identifying the user who performs the payment of theamount identified by the upper limit amount information have beentransmitted to the settlement device via the network with the userterminal transmission and reception means, receiving the upper limitamount information and the user information from the user terminal withthe settlement device transmission and reception means; a process of, ifthe settlement device transmission and reception means has received theupper limit amount information and the user information, executingcredit determination that is determination of whether or not thesettlement of the payment of the amount identified by the upper limitamount information for the user identified by the user information ispossible, and if it is determined in the credit determination that thesettlement is possible, generating temporary permission information thatis information indicating the determination; a process of generating aone-time password if the temporary permission information has beengenerated; a process of recording, in the recording medium, the one-timepassword and upper limit amount information so as to be associated witheach other such that the upper limit amount information becomes thevirtual balance information, the upper limit amount information havingbeen used for generating the temporary permission information that hascaused the generation of the one-time password; a process oftransmitting the generated temporary permission information to the userterminal via the network, with the settlement device transmission andreception means; a process of, if, in the user terminal that hasaccepted the temporary permission information at the user terminaltransmission and reception means from the settlement device, a one-timepassword that has been generated by the user terminal informationprocessing means and is identical to that generated in the settlementdevice, and the amount information have been inputted from thesettlement terminal input means of the settlement terminal, and thesettlement terminal has sent the one-time password and the amountinformation from the settlement terminal transmission and receptionmeans to the settlement device via the network, receiving the one-timepassword and the amount information at the settlement devicetransmission and reception means; and a process of reading out thevirtual balance information associated with a one-time passwordidentical to the one-time password received from the settlement terminalby the settlement device, from the recording medium, and on a conditionthat the amount identified by the amount information received from thesettlement terminal is equal to or less than an amount identified by thevirtual balance information, settling the payment from the user of theuser terminal to an administrator of the settlement terminal with theone-time password, and also subtracting the amount used for the payment,from the virtual balance information recorded so as to be associatedwith the one-time password used for the payment in the recording medium.25. A cash voucher made by: printing the one-time password generated inthe user terminal according to claim 2, on paper.
 26. The cash voucheraccording to claim 15, wherein a part of the one-time password isprinted on one side of the paper, and a rest part of the one-timepassword is printed on another side of the paper, respectively.
 27. Acash voucher made by: printing information for identifying the one-timepassword generated in the user terminal according to claim 2, on paper.28. The cash voucher according to claim 27, wherein information foridentifying a part of the one-time password is printed on one side ofthe paper, and information for identifying a rest part of the one-timepassword is printed on another side of the paper, respectively.
 29. Thecash voucher according to claim 25, wherein a face of a person scheduledto use the cash voucher is printed on the paper.